Make JSON audit logging a configurable option

Remove compile-time setting for generating audit logs as JSON, creating a new config option (SecAuditLogFormat). sec_audit_logger is now a wrapper for sec_audit_logger_json or sec_audit_logger_native. This has the disadvantage of making the audit log generation code harder to maintain, but the logger function itself now is no longer pepper with binary branches.
2025-08-14 13:56:01 +03:00 · 2015-07-18 22:43:10 -07:00 · 2015-07-18 22:43:10 -07:00 · 7a39b4b5b9
commit 7a39b4b5b9
parent dd79bea0b4
5 changed files with 819 additions and 348 deletions
--- a/apache2/apache2_config.c
+++ b/apache2/apache2_config.c
@ -73,6 +73,7 @@ void *create_directory_config(apr_pool_t *mp, char *path)
    /* audit log variables */
    dcfg->auditlog_flag = NOT_SET;
    dcfg->auditlog_type = NOT_SET;
+    dcfg->auditlog_format = NOT_SET;
    dcfg->max_rule_time = NOT_SET;
    dcfg->auditlog_dirperms = NOT_SET;
    dcfg->auditlog_fileperms = NOT_SET;
@ -503,6 +504,8 @@ void *merge_directory_configs(apr_pool_t *mp, void *_parent, void *_child)
        merged->auditlog2_fd = parent->auditlog2_fd;
        merged->auditlog2_name = parent->auditlog2_name;
    }
+    merged->auditlog_format = (child->auditlog_format == NOT_SET
+        ? parent->auditlog_format : child->auditlog_format);
    merged->auditlog_storage_dir = (child->auditlog_storage_dir == NOT_SET_P
        ? parent->auditlog_storage_dir : child->auditlog_storage_dir);
    merged->auditlog_parts = (child->auditlog_parts == NOT_SET_P
@ -667,6 +670,7 @@ void init_directory_config(directory_config *dcfg)
    /* audit log variables */
    if (dcfg->auditlog_flag == NOT_SET) dcfg->auditlog_flag = 0;
    if (dcfg->auditlog_type == NOT_SET) dcfg->auditlog_type = AUDITLOG_SERIAL;
+    if (dcfg->auditlog_format == NOT_SET) dcfg->auditlog_format = AUDITLOGFORMAT_NATIVE;
    if (dcfg->max_rule_time == NOT_SET) dcfg->max_rule_time = 0;
    if (dcfg->auditlog_dirperms == NOT_SET) dcfg->auditlog_dirperms = CREATEMODE_DIR;
    if (dcfg->auditlog_fileperms == NOT_SET) dcfg->auditlog_fileperms = CREATEMODE;
@ -1291,6 +1295,21 @@ static const char *cmd_audit_log_type(cmd_parms *cmd, void *_dcfg,
    return NULL;
 }

+static const char *cmd_audit_log_mode(cmd_parms *cmd, void *_dcfg,
+        const char *p1)
+{
+    directory_config *dcfg = _dcfg;
+
+    if (strcasecmp(p1, "JSON") == 0) dcfg->auditlog_format = AUDITLOGFORMAT_JSON;
+    else
+        if (strcasecmp(p1, "Native") == 0) dcfg->auditlog_format = AUDITLOGFORMAT_NATIVE;
+        else
+            return (const char *)apr_psprintf(cmd->pool,
+                    "ModSecurity: Unrecognised parameter value for SecAuditLogFormat: %s", p1);
+
+    return NULL;
+}
+
 static const char *cmd_audit_log_dirmode(cmd_parms *cmd, void *_dcfg,
        const char *p1)
 {
@ -3232,6 +3251,14 @@ const command_rec module_directives[] = {
        "whether to use the old audit log format (Serial) or new (Concurrent)"
    ),

+    AP_INIT_TAKE1 (
+        "SecAuditLogFormat",
+        cmd_audit_log_mode,
+        NULL,
+        CMD_SCOPE_ANY,
+        "whether to emit audit log data in native format or JSON"
+    ),
+
    AP_INIT_TAKE1 (
        "SecAuditLogStorageDir",
        cmd_audit_log_storage_dir,
--- a/apache2/modsecurity.h
+++ b/apache2/modsecurity.h
@ -519,6 +519,9 @@ struct directory_config {
    /* AUDITLOG_SERIAL (single file) or AUDITLOG_CONCURRENT (multiple files) */
    int                  auditlog_type;

+    /* AUDITLOGFORMAT_NATIVE or AUDITLOGFORMAT_JSON */
+    int                  auditlog_format;
+
    /* Mode for audit log directories and files */
    apr_fileperms_t      auditlog_dirperms;
    apr_fileperms_t      auditlog_fileperms;
--- a/apache2/msc_logging.c
+++ b/apache2/msc_logging.c
--- a/apache2/msc_logging.h
+++ b/apache2/msc_logging.h
@ -22,6 +22,9 @@
 #define AUDITLOG_SERIAL                      0
 #define AUDITLOG_CONCURRENT                  1

+#define AUDITLOGFORMAT_JSON                  0
+#define AUDITLOGFORMAT_NATIVE                1
+
 #define AUDITLOG_PART_FIRST                 'A'
 #define AUDITLOG_PART_HEADER                'A'
 #define AUDITLOG_PART_REQUEST_HEADERS       'B'
--- a/configure.ac
+++ b/configure.ac
@ -275,22 +275,6 @@ if test "$build_docs" -eq 1; then
    TOPLEVEL_SUBDIRS="$TOPLEVEL_SUBDIRS docs"
 fi

-# Add JSON audit logging
-AC_ARG_ENABLE(json-logging,
-				AS_HELP_STRING([--enabled-json-logging],
-								[Enable JSON audit logging.]),
-[
-	if test "$enableval" != "no"; then
-		json_logging='-DWITH_JSON_LOGGING'
-		MODSEC_EXTRA_CFLAGS="$MODSEC_EXTRA_CFLAGS $json_logging"
-	else
-		json_logging=''
-	fi
-],
-[
-	json_logging=''
-])
-
 # Add PCRE Studying

 AC_ARG_ENABLE(pcre-study,
@ -674,7 +658,7 @@ else
  fi
 fi

-MODSEC_EXTRA_CFLAGS="$json_logging $pcre_study $pcre_match_limit $pcre_match_limit_recursion $pcre_jit $request_early $htaccess_config $lua_cache $debug_conf $debug_cache $debug_acmp $debug_mem $perf_meas $modsec_api $cpu_type"
+MODSEC_EXTRA_CFLAGS="$pcre_study $pcre_match_limit $pcre_match_limit_recursion $pcre_jit $request_early $htaccess_config $lua_cache $debug_conf $debug_cache $debug_acmp $debug_mem $perf_meas $modsec_api $cpu_type"
 APXS_WRAPPER=build/apxs-wrapper
 APXS_EXTRA_CFLAGS=""
 for f in $EXTRA_CFLAGS; do