Changes the saving selection for the audit logs

headers/modsecurity/rule_message.h

@@ -47,6 +47,7 @@ class RuleMessage {
         m_maturity(rule->m_maturity),
         m_rule(rule),
         m_saveMessage(false),
+        m_noAuditLog(false),
         m_match(std::string(""))
     { }
 
@@ -70,6 +71,7 @@ class RuleMessage {
     std::list<std::string> m_tags;
     std::list<std::string> m_server_logs;
 
+    bool m_noAuditLog;
     Rule *m_rule;
     bool m_saveMessage;
 };

headers/modsecurity/transaction.h

@@ -165,25 +165,6 @@ class Transaction {
     std::string toOldAuditLogFormatIndex(const std::string &filename,
         double size, const std::string &md5);
 
-
-    /**
-     * This variable is basically set by the `autidlog' action. It means
-     * that this particular transaction was marked to be saved as part of
-     * the auditlogs, even if it is not originally classified to be saved
-     * by `SecAuditLogRelevantStatus'.
-     */
-    bool m_toBeSavedInAuditlogs;
-
-    /**
-     * Set by `noauditlog' action, it means that this particular should
-     * not be saved. Regardless of `SecAuditLogRelevantStatus'.
-     *
-     * @note It is possible to have `auditlog' and `noauditlog' actions
-     * 		 in a same rule, in that case prevails the last input.
-     */
-    bool m_toNotBeSavedInAuditLogs;
-
-
     /**
      * Filled during the class instantiation, this variable can be later
      * used to fill the SecRule variable `duration'. The variable `duration'

src/actions/audit_log.cc

@@ -19,13 +19,15 @@
 #include <string>
 
 #include "modsecurity/transaction.h"
+#include "modsecurity/rule_message.h"
 
 namespace modsecurity {
 namespace actions {
 
 
-bool AuditLog::evaluate(Rule *rule, Transaction *transaction) {
-    transaction->m_toBeSavedInAuditlogs = true;
+bool AuditLog::evaluate(Rule *rule, Transaction *transaction,
+    RuleMessage *rm) {
+    rm->m_noAuditLog = false;
     return true;
 }
 

src/actions/audit_log.h

@@ -34,7 +34,8 @@ class AuditLog : public Action {
     explicit AuditLog(std::string action)
         : Action(action, RunTimeOnlyIfMatchKind) { }
 
-    bool evaluate(Rule *rule, Transaction *transaction) override;
+    bool evaluate(Rule *rule, Transaction *transaction,
+        RuleMessage *rm) override;
 };
 
 

src/actions/no_audit_log.cc

@@ -19,13 +19,16 @@
 #include <string>
 
 #include "modsecurity/transaction.h"
+#include "modsecurity/rule.h"
+#include "modsecurity/rule_message.h"
 
 namespace modsecurity {
 namespace actions {
 
 
-bool NoAuditLog::evaluate(Rule *rule, Transaction *transaction) {
-    transaction->m_toNotBeSavedInAuditLogs = true;
+bool NoAuditLog::evaluate(Rule *rule, Transaction *transaction,
+    RuleMessage *rm) {
+    rm->m_noAuditLog = true;
     return true;
 }
 

src/actions/no_audit_log.h

@@ -34,7 +34,8 @@ class NoAuditLog : public Action {
     explicit NoAuditLog(std::string action)
         : Action(action, RunTimeOnlyIfMatchKind) { }
 
-    bool evaluate(Rule *rule, Transaction *transaction) override;
+    bool evaluate(Rule *rule, Transaction *transaction,
+        RuleMessage *rm) override;
 };
 
 }  // namespace actions

src/audit_log/audit_log.cc

@@ -21,6 +21,7 @@
 
 #include <fstream>
 
+#include "modsecurity/rule_message.h"
 #include "src/audit_log/writer/https.h"
 #include "src/audit_log/writer/parallel.h"
 #include "src/audit_log/writer/serial.h"
@@ -244,6 +245,7 @@ bool AuditLog::isRelevant(int status) {
         return false;
     }
 
+
     if (sstatus.empty()) {
         return true;
     }
@@ -259,13 +261,21 @@ bool AuditLog::saveIfRelevant(Transaction *transaction) {
 
 
 bool AuditLog::saveIfRelevant(Transaction *transaction, int parts) {
+    bool saveAnyway = false;
     if (m_status == OffAuditLogStatus || m_status == NotSetLogStatus) {
         return true;
     }
 
+    for (RuleMessage &i : transaction->m_rulesMessages) {
+        if (i.m_noAuditLog == false) {
+            saveAnyway = true;
+            break;
+        }
+    }
+
     if ((m_status == RelevantOnlyAuditLogStatus
-        && this->isRelevant(transaction->m_httpCodeReturned) == false
-        && transaction->m_toBeSavedInAuditlogs == false)) {
+        && this->isRelevant(transaction->m_httpCodeReturned) == false)
+        && saveAnyway == false) {
         transaction->debug(5, "Return code `" +
             std::to_string(transaction->m_httpCodeReturned) + "'" \
             " is not interesting to audit logs, relevant code(s): `" +
@@ -274,17 +284,6 @@ bool AuditLog::saveIfRelevant(Transaction *transaction, int parts) {
         return false;
     }
 
-    /**
-     * Even if it is relevant, if it is marked not to be save,
-     * we won't save it.
-     *
-     */
-    if (transaction->m_toNotBeSavedInAuditLogs == true) {
-        transaction->debug(5, "This request was marked to not " \
-            "be saved in the audit logs.");
-        return false;
-    }
-
     if (parts == -1) {
         parts = m_parts;
     }

src/rule.cc

@@ -623,6 +623,7 @@ end_exec:
     for (const auto &u : ruleMessage.m_server_logs) {
         trasn->serverLog(u);
     }
+
     if (ruleMessage.m_server_logs.size() > 0) {
         trasn->m_rulesMessages.push_back(ruleMessage);
     }

src/transaction.cc

@@ -106,8 +106,6 @@ Transaction::Transaction(ModSecurity *ms, Rules *rules, void *logCbData)
     m_method(""),
     m_httpVersion(""),
     m_rules(rules),
-    m_toBeSavedInAuditlogs(false),
-    m_toNotBeSavedInAuditLogs(false),
     m_timeStamp(std::time(NULL)),
     m_httpCodeReturned(200),
     m_highestSeverityAction(255),
@@ -1262,12 +1260,6 @@ int Transaction::processLogging() {
                 }
             }
         }
-#ifndef NO_LOGS
-        if (m_toBeSavedInAuditlogs) {
-            debug(8, "This request was marked to be " \
-                "saved via auditlog action.");
-        }
-#endif
         debug(8, "Checking if this request is relevant to be " \
             "part of the audit logs.");
         bool saved = this->m_rules->m_auditLog->saveIfRelevant(this, parts);