mlogc can't parse entry · Issue #2682 · owasp-modsecurity/ModSecurity (original) (raw)

Hello,

I have Apache 2.4.52 x64 from apachelounge.com with mod_security 2.9.5 (CRS 3.3.2), both of them compiled with PCRE 8.45

I get "Invalid entry (failed to match regex)" when trying to use mlogc

I m not even gonna pretend I can eval this regex:
https://github.com/SpiderLabs/ModSecurity/blob/a06d8f8ce74d423885a1f09a74c060bb21dd7485/apache2/mlogc-src/mlogc.c#L97

Here is my httpd.conf:
SecRuleEngine On
SecDataDir /tmp
Include conf/owasp-modsecurity-crs/crs-setup.conf
Include conf/owasp-modsecurity-crs/rules/*.conf
SecAuditEngine RelevantOnly
SecAuditLogRelevantStatus ^2-5
SecAuditLogParts ABCDEFGHZ
SecAuditLogType Serial
SecAuditLog "|bin/mlogc.exe conf/mlogc.conf"

and my mlogc.conf:
CollectorRoot "C:/APACHE/logs"
ConsoleURI "https://127.0.0.1:9000/rpc/auditLogReceiver"
SensorUsername "test"
SensorPassword "testtest"
LogStorageDir "data"
TransactionLog "mlogc-transaction.log"
QueuePath "mlogc-queue.log"
ErrorLog "mlogc-error.log"
LockFile "mlogc.lck"
KeepEntries 0
ErrorLogLevel 2
MaxConnections 10
MaxWorkerRequests 1000
TransactionDelay 50
StartupDelay 5000
CheckpointInterval 15
ServerErrorTimeout 60

I tried with different values for SecAuditLogParts but it did not seem to help

Log here:
https://bojinov.info/mlogc-error.log

Steps to reproduce the behavior:

A curl command line that mimics the original request and reproduces the problem
https://x.x.x.x/aphpfilethatdonotexist.php?something=../../etc

What am I doing wrong ?

Momchil