Update docker-compose.yaml

components/nginx_message_reader/nginx_message_reader.cc

@@ -50,28 +50,6 @@ static const boost::regex error_log_regex(
     ", (upstream: \".+?\")"
     ", (host: \".+?\")$"
 );
-// Generic regexes for fallback parsing
-static const boost::regex generic_crit_log_regex(
-    "("
-    + syslog_regex_string + ") "
-    + "(?:\\d{4}/\\d{2}/\\d{2} \\d{2}:\\d{2}:\\d{2} )?"  // Optional nginx timestamp
-    + "\\[crit\\] (.+)$"
-);
-
-static const boost::regex generic_emerg_log_regex(
-    "("
-    + syslog_regex_string + ") "
-    + "(?:\\d{4}/\\d{2}/\\d{2} \\d{2}:\\d{2}:\\d{2} )?"  // Optional nginx timestamp
-    + "\\[emerg\\] (.+)$"
-);
-
-// Generic regex to extract time, log level and message for fallback parsing
-static const boost::regex generic_fallback_log_regex(
-    "("
-    + syslog_regex_string + ") "
-    + "(?:\\d{4}/\\d{2}/\\d{2} \\d{2}:\\d{2}:\\d{2} )?"  // Optional nginx timestamp
-    + "\\[(\\w+)\\] (.+)$"
-);
 
 static const boost::regex server_regex("(\\d+\\.\\d+\\.\\d+\\.\\d+)|(\\w+\\.\\w+)");
 static const boost::regex uri_regex("^/");
@@ -79,9 +57,6 @@ static const boost::regex port_regex("\\d+");
 static const boost::regex response_code_regex("[0-9]{3}");
 static const boost::regex http_method_regex("[A-Za-z]+");
 
-static const string central_nginx_manager = "Central NGINX Manager";
-static const string reverse_proxe = "Reverse Proxy";
-
 class NginxMessageReader::Impl
 {
 public:
@@ -89,16 +64,6 @@ public:
     init()
     {
         dbgFlow(D_NGINX_MESSAGE_READER);
-
-        if (Singleton::exists<I_Environment>()) {
-            auto name = Singleton::Consume<I_Environment>::by<Report>()->get<string>("Service Name");
-            if (name.ok()) 
-            {
-                dbgInfo(D_NGINX_MESSAGE_READER) << "Service name: " << *name;
-                service_name = *name;
-            }
-        }
-
         I_MainLoop *mainloop = Singleton::Consume<I_MainLoop>::by<NginxMessageReader>();
         mainloop->addOneTimeRoutine(
             I_MainLoop::RoutineType::System,
@@ -152,12 +117,6 @@ private:
         COUNT
     };
 
-    struct GenericLogInfo {
-        string timestamp;
-        string severity;
-        string message;
-    };
-
     void
     initSyslogServerSocket()
     {
@@ -216,10 +175,10 @@ private:
                 bool log_sent;
                 if (isAccessLog(log)) {
                     log_sent = sendAccessLog(log);
-                } else if (isAlertErrorLog(log) || isErrorLog(log) || isCritErrorLog(log) || isEmergErrorLog(log)) {
+                } else if (isAlertErrorLog(log) || isErrorLog(log)) {
                     log_sent = sendErrorLog(log);
                 } else {
-                    dbgWarning(D_NGINX_MESSAGE_READER) << "Unexpected nginx log format for message: "<< log;
+                    dbgWarning(D_NGINX_MESSAGE_READER) << "Unexpected nginx log format";
                     continue;
                 }
                 if (!log_sent) {
@@ -263,22 +222,13 @@ private:
     {
         dbgFlow(D_NGINX_MESSAGE_READER) << "Error log" << log;
         Maybe<EnumArray<LogInfo, string>> log_info = parseErrorLog(log);
-        if (log_info.ok()) {
+        if (!log_info.ok()) {
-            return sendLog(log_info.unpack());
+            dbgWarning(D_NGINX_MESSAGE_READER)
+                << "Failed parsing the NGINX logs. Error: "
+                << log_info.getErr();
+            return false;
         }
-
+        return sendLog(log_info.unpack());
-        if (service_name == central_nginx_manager) {
-            dbgDebug(D_NGINX_MESSAGE_READER) << "Detailed parsing failed, trying generic parsing";
-            Maybe<GenericLogInfo> generic_log = parseGenericErrorLog(log);
-            if (generic_log.ok()) {
-                return sendGenericLog(generic_log.unpack());
-            }
-        }
-
-        dbgWarning(D_NGINX_MESSAGE_READER)
-            << "Failed parsing the NGINX logs. Error: "
-            << log_info.getErr();
-        return false;
     }
 
     bool
@@ -303,45 +253,7 @@ private:
     }
 
     bool
-    isCritErrorLog(const string &log) const
+    sendLog(const EnumArray<LogInfo, string> &log_info)
-    {
-        dbgFlow(D_NGINX_MESSAGE_READER) << "Check if log is of type 'crit log'. Log: " << log;
-        return log.find("[crit]") != string::npos;
-    }
-
-    bool
-    isEmergErrorLog(const string &log) const
-    {
-        dbgFlow(D_NGINX_MESSAGE_READER) << "Check if log is of type 'emerg log'. Log: " << log;
-        return log.find("[emerg]") != string::npos;
-    }
-
-    string
-    getCNMEventName(const EnumArray<LogInfo, string> &log_info) const
-    {
-        dbgFlow(D_NGINX_MESSAGE_READER);
-        string event_name;
-        switch (log_info[LogInfo::RESPONSE_CODE][0]) {
-            case '4': {
-                event_name = "NGINX Proxy Error: Invalid request or incorrect NGINX configuration - Request dropped."
-                " Please check the reverse proxy configuration of your relevant assets";
-                break;
-            }
-            case '5': {
-                event_name = "NGINX Proxy Error: Request failed! Please verify your proxy configuration."
-                "If the issue persists please contact open-appsec support";
-                break;
-            }
-            default: {
-                dbgError(D_NGINX_MESSAGE_READER) << "Irrelevant status code";
-                return "";
-            }
-        }
-        return event_name;
-    }
-
-    string
-    getRPMEventName(const EnumArray<LogInfo, string> &log_info) const
     {
         dbgFlow(D_NGINX_MESSAGE_READER);
         string event_name;
@@ -359,45 +271,9 @@ private:
             }
             default: {
                 dbgError(D_NGINX_MESSAGE_READER) << "Irrelevant status code";
-                return "";
+                return false;
             }
         }
-        return event_name;
-    }
-
-    string 
-    getServiceName()
-    {
-        string service_name = "Unnamed Nano Service";
-        if (Singleton::exists<I_Environment>()) {
-            auto name = Singleton::Consume<I_Environment>::by<Report>()->get<string>("Service Name");
-            if (name.ok()) return *name;
-        }
-        return service_name;
-    }
-
-    string getEventName(const EnumArray<LogInfo, string> &log_info)
-    {
-        if (service_name == central_nginx_manager)
-        {
-            return getCNMEventName(log_info);
-        }
-
-        if (service_name != reverse_proxe)
-        {
-            dbgWarning(D_NGINX_MESSAGE_READER) 
-                << "Unknown service name: "
-                << service_name
-                << " Response will be sent as RPM";
-        }
-        return getRPMEventName(log_info);
-    }
-
-    bool
-    sendLog(const EnumArray<LogInfo, string> &log_info)
-    {
-        dbgFlow(D_NGINX_MESSAGE_READER);
-        string event_name = getEventName(log_info);
 
         dbgTrace(D_NGINX_MESSAGE_READER)
             << "Nginx log's event name and response code: "
@@ -407,11 +283,9 @@ private:
         LogGen log(
             event_name,
             ReportIS::Audience::SECURITY,
-            ReportIS::Severity::HIGH,
+            ReportIS::Severity::INFO,
             ReportIS::Priority::LOW,
-            service_name == central_nginx_manager ?
+            ReportIS::Tags::REVERSE_PROXY
-                ReportIS::Tags::CENTRAL_NGINX_MANAGER :
-                ReportIS::Tags::REVERSE_PROXY
         );
         log << LogField("eventConfidence", "High");
 
@@ -439,47 +313,6 @@ private:
         return true;
     }
 
-    bool
-    sendGenericLog(const GenericLogInfo &log_info)
-    {
-        dbgFlow(D_NGINX_MESSAGE_READER) << "Sending generic log";
-        
-        // check with christoper
-        string event_name = "NGINX Proxy Error: Request failed! Please verify your proxy configuration."
-                "If the issue persists please contact open-appsec support";
-        
-        // Convert string severity to ReportIS::Severity
-        ReportIS::Severity severity = ReportIS::Severity::MEDIUM;
-        ReportIS::Priority priority = ReportIS::Priority::MEDIUM;
-        if (log_info.severity == "emerg" || log_info.severity == "crit") {
-            severity = ReportIS::Severity::CRITICAL;
-            priority = ReportIS::Priority::URGENT;
-        } else if (log_info.severity == "error" || log_info.severity == "alert") {
-            severity = ReportIS::Severity::HIGH;
-            priority = ReportIS::Priority::HIGH;
-        }
-        
-        LogGen log(
-            event_name,
-            ReportIS::Audience::SECURITY,
-            severity,
-            priority,
-            ReportIS::Tags::CENTRAL_NGINX_MANAGER
-        );
-        
-        log << LogField("eventConfidence", "High");
-        log << LogField("timestamp", log_info.timestamp);
-        log << LogField("httpResponseBody", formatGenericLogMessage(log_info));
-        
-        return true;
-    }
-
-    string
-    formatGenericLogMessage(const GenericLogInfo &log_info)
-    {
-        return "[" + log_info.severity + "] " + log_info.message;
-    }
-
     bool
     sendRateLimitLog(const EnumArray<LogInfo, string> &log_info)
     {
@@ -698,48 +531,6 @@ private:
         log_info[LogInfo::RULE_NAME] = context.getRuleName();
     }
 
-    Maybe<GenericLogInfo>
-    parseGenericErrorLog(const string &log_line)
-    {
-        dbgFlow(D_NGINX_MESSAGE_READER) << "Parsing generic error log: " << log_line;
-        
-        boost::smatch matcher;
-        GenericLogInfo generic_log;
-        
-        if (isCritErrorLog(log_line)) {
-            if (NGEN::Regex::regexSearch(__FILE__, __LINE__, log_line, matcher, generic_crit_log_regex)) {
-                const int timestamp_index = 2;  // Timestamp from within syslog_regex_string
-                const int message_index = 5;    // The captured message after [crit]
-                generic_log.timestamp = string(matcher[timestamp_index].first, matcher[timestamp_index].second);
-                generic_log.severity = "crit";
-                generic_log.message = string(matcher[message_index].first, matcher[message_index].second);
-                return generic_log;
-            }
-        } else if (isEmergErrorLog(log_line)) {
-            if (NGEN::Regex::regexSearch(__FILE__, __LINE__, log_line, matcher, generic_emerg_log_regex)) {
-                const int timestamp_index = 2;  // Timestamp from within syslog_regex_string
-                const int message_index = 5;    // The captured message after [emerg]
-                generic_log.timestamp = string(matcher[timestamp_index].first, matcher[timestamp_index].second);
-                generic_log.severity = "emerg";
-                generic_log.message = string(matcher[message_index].first, matcher[message_index].second);
-                return generic_log;
-            }
-        }
-        
-        if (NGEN::Regex::regexSearch(__FILE__, __LINE__, log_line, matcher, generic_fallback_log_regex)) {
-            const int timestamp_index = 2;  // Timestamp from within syslog_regex_string
-            const int severity_index = 5;   // The captured severity level
-            const int message_index = 6;    // The captured message
-            generic_log.timestamp = string(matcher[timestamp_index].first, matcher[timestamp_index].second);
-            generic_log.severity = string(matcher[severity_index].first, matcher[severity_index].second);
-            generic_log.message = string(matcher[message_index].first, matcher[message_index].second);
-            return generic_log;
-        }
-        
-        dbgWarning(D_NGINX_MESSAGE_READER) << "Could not parse log with generic method: " << log_line;
-        return genError("Could not parse log with generic method");
-    }
-
     Maybe<EnumArray<LogInfo, string>>
     parseErrorLog(const string &log_line)
     {
@@ -749,29 +540,17 @@ private:
 
         boost::smatch matcher;
         vector<string> result;
-        boost::regex selected_regex;
-        
-        // Select appropriate regex based on log type
-        if (isAlertErrorLog(log_line)) {
-            selected_regex = alert_log_regex;
-        } else if (isErrorLog(log_line)) {
-            selected_regex = error_log_regex;
-        } else {
-            dbgWarning(D_NGINX_MESSAGE_READER) << "No matching log type found for log: " << log_line;
-            return genError("No matching log type found");
-        }
-
         if (
             !NGEN::Regex::regexSearch(
                 __FILE__,
                 __LINE__,
                 log_line,
                 matcher,
-                selected_regex
+                isAlertErrorLog(log_line) ? alert_log_regex : error_log_regex
             )
         ) {
-            dbgWarning(D_NGINX_MESSAGE_READER) << "Detailed regex parsing failed for log: " << log_line;
+            dbgWarning(D_NGINX_MESSAGE_READER) << "Unexpected nginx log format";
-            return genError("Detailed regex parsing failed");
+            return genError("Unexpected nginx log format");
         }
 
         const int event_message_index = 6;
@@ -812,8 +591,8 @@ private:
         addContextFieldsToLogInfo(log_info);
 
         if (!validateLog(log_info)) {
-            dbgWarning(D_NGINX_MESSAGE_READER) << "Log validation failed for detailed parsing";
+            dbgWarning(D_NGINX_MESSAGE_READER) << "Unexpected nginx log format";
-            return genError("Log validation failed for detailed parsing");
+            return genError("Unexpected nginx log format");
         }
 
         return log_info;
@@ -931,7 +710,6 @@ private:
 
     I_Socket::socketFd syslog_server_socket = -1;
     string rate_limit_status_code = "429";
-    string service_name = "Unnamed Nano Service";
 };
 
 NginxMessageReader::NginxMessageReader() : Component("NginxMessageReader"), pimpl(make_unique<Impl>()) {}

components/security_apps/central_nginx_manager/central_nginx_manager.cc

@@ -179,10 +179,10 @@ private:
     Maybe<void>
     configureSyslog()
     {
-        // if (!getProfileAgentSettingWithDefault<bool>(false, "centralNginxManagement.syslogEnabled")) {
+        if (!getProfileAgentSettingWithDefault<bool>(false, "centralNginxManagement.syslogEnabled")) {
-        //     dbgTrace(D_NGINX_MANAGER) << "Syslog is disabled via settings";
+            dbgTrace(D_NGINX_MANAGER) << "Syslog is disabled via settings";
-        //     return {};
+            return {};
-        // }
+        }
 
         string syslog_directive = "error_log syslog:server=127.0.0.1:1514 warn;";
         auto load_shared_directive_result = loadSharedDirective(syslog_directive);

core/include/services_sdk/resources/report/report_enums.h

@@ -71,7 +71,6 @@ enum class Tags {
     DEPLOYMENT_DOCKER,
     WEB_SERVER_SWAG,
     WEB_SERVER_NGINX_UNIFIED,
-    CENTRAL_NGINX_MANAGER,
 
     COUNT
 };

deployment/docker-compose/apisix/docker-compose.yaml

@@ -29,7 +29,7 @@ services:
       - AGENT_TOKEN=${APPSEC_AGENT_TOKEN}
       - autoPolicyLoad=${APPSEC_AUTO_POLICY_LOAD}
       - registered_server=APISIX
-    ipc: shareable
+    ipc: host
     restart: unless-stopped
     volumes:
       - ${APPSEC_CONFIG}:/etc/cp/conf
@@ -41,7 +41,7 @@ services:
   appsec-apisix:
     image: ghcr.io/openappsec/apisix-attachment:${APPSEC_VERSION}
     container_name: appsec-apisix
-    ipc: service:appsec-agent
+    ipc: host
     restart: always
     environment:
       - APISIX_STAND_ALONE=true
@@ -69,7 +69,7 @@ services:
       - standalone
     image: ghcr.io/openappsec/smartsync-shared-files:${APPSEC_VERSION}
     container_name: appsec-shared-storage
-    ipc: service:appsec-agent
+    ipc: host
     restart: always
 ## if you do not want to run this container as "root" user you can comment it out and instead run the below command after the deployment
 ## docker exec -u root appsec-shared-storage chown -R appuser:appuser /db

deployment/docker-compose/envoy/docker-compose.yaml

@@ -29,7 +29,7 @@ services:
       - AGENT_TOKEN=${APPSEC_AGENT_TOKEN}
       - autoPolicyLoad=${APPSEC_AUTO_POLICY_LOAD}
       - registered_server="Envoy"
-    ipc: shareable
+    ipc: host
     restart: unless-stopped
     volumes:
       - ${APPSEC_CONFIG}:/etc/cp/conf
@@ -41,7 +41,7 @@ services:
   appsec-envoy:
     image: ghcr.io/openappsec/envoy-attachment:${APPSEC_VERSION}
     container_name: appsec-envoy
-    ipc: service:appsec-agent
+    ipc: host
     restart: unless-stopped
     environment:
       - ENVOY_UID=0
@@ -75,7 +75,7 @@ services:
       - standalone
     image: ghcr.io/openappsec/smartsync-shared-files:${APPSEC_VERSION}
     container_name: appsec-shared-storage
-    ipc: service:appsec-agent
+    ipc: host
     restart: unless-stopped
 ## if you do not want to run this container as "root" user you can comment it out and instead run the below command after the deployment
 ## docker exec -u root appsec-shared-storage chown -R appuser:appuser /db

deployment/docker-compose/kong/docker-compose.yaml

@@ -29,7 +29,7 @@ services:
       - AGENT_TOKEN=${APPSEC_AGENT_TOKEN}
       - autoPolicyLoad=${APPSEC_AUTO_POLICY_LOAD}
       - registered_server=Kong
-    ipc: shareable
+    ipc: host
     restart: unless-stopped
     volumes:
       - ${APPSEC_CONFIG}:/etc/cp/conf
@@ -41,7 +41,7 @@ services:
   appsec-kong:
     image: ghcr.io/openappsec/${KONG_IMAGE}:${APPSEC_VERSION}
     container_name: appsec-kong
-    ipc: service:appsec-agent
+    ipc: host
 ## This docker compose deploys Kong in DB-less mode with declarative Kong configuration
 ## please make sure to have a valid config present in {KONG_CONFIG}:
     environment:
@@ -72,7 +72,7 @@ services:
       - standalone
     image: ghcr.io/openappsec/smartsync-shared-files:${APPSEC_VERSION}
     container_name: appsec-shared-storage
-    ipc: service:appsec-agent
+    ipc: host
     restart: unless-stopped
 ## if you do not want to run this container as "root" user you can comment it out and instead run the below command after the deployment
 ## docker exec -u root appsec-shared-storage chown -R appuser:appuser /db

deployment/docker-compose/nginx-proxy-manager-centrally-managed/docker-compose.yaml

@@ -22,7 +22,7 @@ services:
   appsec-agent:
     image: ghcr.io/openappsec/agent:${APPSEC_VERSION}
     container_name: appsec-agent
-    ipc: shareable
+    ipc: host
     restart: unless-stopped
     environment:
       - SHARED_STORAGE_HOST=appsec-shared-storage
@@ -43,7 +43,7 @@ services:
   appsec-nginx-proxy-manager:
     container_name: appsec-nginx-proxy-manager
     image: ghcr.io/openappsec/nginx-proxy-manager-centrally-managed-attachment:${APPSEC_VERSION}
-    ipc: service:appsec-agent
+    ipc: host
     restart: unless-stopped
     ports:
       - 80:80 # Public HTTP Port
@@ -69,7 +69,7 @@ services:
       - standalone
     image: ghcr.io/openappsec/smartsync-shared-files:${APPSEC_VERSION}
     container_name: appsec-shared-storage
-    ipc: service:appsec-agent
+    ipc: host
     restart: unless-stopped
 ## if you do not want to run this container as "root" user you can comment it out and instead run the below command after the deployment
 ## docker exec -u root appsec-shared-storage chown -R appuser:appuser /db

deployment/docker-compose/nginx-proxy-manager/docker-compose.yaml

@@ -22,7 +22,7 @@ services:
   appsec-agent:
     image: ghcr.io/openappsec/agent:${APPSEC_VERSION}
     container_name: appsec-agent
-    ipc: service:appsec-nginx-proxy-manager
+    ipc: host
     network_mode: service:appsec-nginx-proxy-manager
     restart: unless-stopped
     environment:
@@ -44,7 +44,7 @@ services:
   appsec-nginx-proxy-manager:
     container_name: appsec-nginx-proxy-manager
     image: ghcr.io/openappsec/nginx-proxy-manager-attachment:${APPSEC_VERSION}
-    ipc: shareable
+    ipc: host
     restart: unless-stopped
     ports:
       - 80:80 # Public HTTP Port
@@ -72,7 +72,7 @@ services:
       - standalone
     image: ghcr.io/openappsec/smartsync-shared-files:${APPSEC_VERSION}
     container_name: appsec-shared-storage
-    ipc: service:appsec-agent
+    ipc: host
     restart: unless-stopped
 ## if you do not want to run this container as "root" user you can comment it out and instead run the below command after the deployment
 ## docker exec -u root appsec-shared-storage chown -R appuser:appuser /db

deployment/docker-compose/nginx-unified/docker-compose.yaml

@@ -29,7 +29,7 @@ services:
       - user_email=${APPSEC_USER_EMAIL}
       - AGENT_TOKEN=${APPSEC_AGENT_TOKEN}
       - autoPolicyLoad=${APPSEC_AUTO_POLICY_LOAD}
-    ipc: shareable
+    ipc: host
     volumes:
       - ${APPSEC_CONFIG}:/etc/cp/conf
       - ${APPSEC_DATA}:/etc/cp/data
@@ -62,7 +62,7 @@ services:
       - standalone
     image: ghcr.io/openappsec/smartsync-shared-files:${APPSEC_VERSION}
     container_name: appsec-shared-storage
-    ipc: service:appsec-agent-nginx-unified
+    ipc: host
     restart: unless-stopped
 ## if you do not want to run this container as "root" user you can comment it out and instead run the below command after the deployment
 ## docker exec -u root appsec-shared-storage chown -R appuser:appuser /db

deployment/docker-compose/nginx/docker-compose.yaml

@@ -29,7 +29,7 @@ services:
       - AGENT_TOKEN=${APPSEC_AGENT_TOKEN}
       - autoPolicyLoad=${APPSEC_AUTO_POLICY_LOAD}
       - registered_server="NGINX"
-    ipc: shareable
+    ipc: host
     restart: unless-stopped
     volumes:
       - ${APPSEC_CONFIG}:/etc/cp/conf
@@ -42,7 +42,7 @@ services:
   appsec-nginx:
     image: ghcr.io/openappsec/nginx-attachment:${APPSEC_VERSION}
     container_name: appsec-nginx
-    ipc: service:appsec-agent
+    ipc: host
     restart: unless-stopped
     volumes:
       - ${NGINX_CONFIG}:/etc/nginx/conf.d
@@ -74,7 +74,7 @@ services:
       - standalone
     image: ghcr.io/openappsec/smartsync-shared-files:${APPSEC_VERSION}
     container_name: appsec-shared-storage
-    ipc: service:appsec-agent
+    ipc: host
     restart: unless-stopped
 ## if you do not want to run this container as "root" user you can comment it out and instead run the below command after the deployment
 ## docker exec -u root appsec-shared-storage chown -R appuser:appuser /db

deployment/docker-compose/swag/docker-compose.yaml

@@ -30,7 +30,7 @@ services:
       - AGENT_TOKEN=${APPSEC_AGENT_TOKEN}
       - autoPolicyLoad=${APPSEC_AUTO_POLICY_LOAD}
       - registered_server=SWAG
-    ipc: shareable
+    ipc: host
     volumes:
       - ${APPSEC_CONFIG}:/etc/cp/conf
       - ${APPSEC_DATA}:/etc/cp/data
@@ -41,7 +41,7 @@ services:
   appsec-swag:
     image: ghcr.io/openappsec/swag-attachment:latest
     container_name: appsec-swag
-    ipc: service:appsec-agent
+    ipc: host
     restart: unless-stopped
     cap_add:
       - NET_ADMIN
@@ -83,7 +83,7 @@ services:
       - standalone
     image: ghcr.io/openappsec/smartsync-shared-files:${APPSEC_VERSION}
     container_name: appsec-shared-storage
-    ipc: service:appsec-agent
+    ipc: host
     restart: unless-stopped
 ## if you do not want to run this container as "root" user you can comment it out and instead run the below command after the deployment
 ## docker exec -u root appsec-shared-storage chown -R appuser:appuser /db