General improvements on audit logs information

Making actions: msg, logdata, tag and others to work in the same
fashion that they work on ModSecurity v2.x

src/actions/log_data.cc

@@ -22,6 +22,7 @@
 #include "modsecurity/transaction.h"
 #include "src/utils.h"
 #include "src/macro_expansion.h"
+#include "modsecurity/rule.h"
 
 namespace modsecurity {
 namespace actions {
@@ -35,14 +36,11 @@ LogData::LogData(std::string action)
 
 
 bool LogData::evaluate(Rule *rule, Transaction *transaction) {
-    std::string msg = MacroExpansion::expand(m_data, transaction);
-#ifndef NO_LOGS
-    transaction->debug(9, "Saving msg: " + msg);
-#endif
-    transaction->m_rulesMessages.push_back(msg);
-    transaction->serverLog(msg);
-    return true;
+    std::string data = MacroExpansion::expand(m_data, transaction);
+
+    rule->m_log_data = data;
 }
 
+
 }  // namespace actions
 }  // namespace modsecurity

src/actions/msg.cc

@@ -22,6 +22,25 @@
 #include "modsecurity/transaction.h"
 #include "src/utils.h"
 #include "src/macro_expansion.h"
+#include "modsecurity/rule.h"
+
+/*
+ * Description: Assigns a custom message to the rule or chain in which it
+ * appears. The message will be logged along with every alert.
+ *
+ * Action Group: Meta-data
+ *
+ * Example:
+ * SecRule &REQUEST_HEADERS:Host "@eq 0" "log,id:60008,severity:2,msg:'Request Missing a Host Header'"
+ *
+ * Note  : The msg information appears in the error and/or audit log files
+ *         and is not sent back to the client in response headers.
+ *
+ * Note 2: The msg action can appear multiple times in the SecRule, however
+ *         just the last one will be take into consideration.
+ *
+ */
+
 
 namespace modsecurity {
 namespace actions {
@@ -36,13 +55,16 @@ Msg::Msg(std::string action)
 
 bool Msg::evaluate(Rule *rule, Transaction *transaction) {
     std::string msg = MacroExpansion::expand(m_msg, transaction);
+
 #ifndef NO_LOGS
     transaction->debug(9, "Saving msg: " + msg);
 #endif
-    transaction->m_rulesMessages.push_back(msg);
-    transaction->serverLog(msg);
+
+    rule->m_log_message = msg;
+
     return true;
 }
 
+
 }  // namespace actions
 }  // namespace modsecurity

src/actions/tag.cc

@@ -22,6 +22,29 @@
 #include "modsecurity/transaction.h"
 #include "src/utils.h"
 #include "src/macro_expansion.h"
+#include "modsecurity/rule.h"
+
+/**
+ * Description: Assigns a tag (category) to a rule or a chain.
+ *
+ * Action Group: Meta-data
+ *
+ * Example:
+ *
+ * SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bgetparentfolder\b" \
+ *         "phase:2,rev:'2.1.3',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958016',tag:'WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'% \
+ *         {TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
+ *
+ *
+ * The tag information appears along with other rule metadata. The
+ * purpose of the tagging mechanism to allow easy automated categorization
+ * of events. Multiple tags can be specified on the same rule. Use forward
+ * slashes to create a hierarchy of categories (as in the example). Since
+ * ModSecurity 2.6.0 tag supports macro expansion.
+ *
+ *
+ */
+
 
 namespace modsecurity {
 namespace actions {
@@ -39,7 +62,7 @@ bool Tag::evaluate(Rule *rule, Transaction *transaction) {
 #ifndef NO_LOGS
     transaction->debug(9, "Rule tag: " + tag);
 #endif
-    transaction->m_ruleTags.push_back(tag);
+    rule->m_tags.push_back(tag);
     return true;
 }