-
Notifications
You must be signed in to change notification settings - Fork 137
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update modsecurity.yaml to expect 'client:' OR 'remote:' in APACHEERRORPREFIX2: #1038
Comments
Hey @Staene could you provide some example log lines so we can add some tests? You can redact any PII information as needed |
|
Perfect! thank you, I will update the tests shortly and issue an update to the official parser 🦙 |
Awesome. Thanks!! Since you're here, wanted to point you here: Bouncer gets LAPI delete decisions but doesn't actually delete them from Cloudflare #34 You said on Discord you'd tag it. If you haven't had a chance, that's the error I was referring to a week or two ago. Again, thank you! |
Yeah we got a 2 hour slot next week to go over the issue and allocate some resources to get the remediation back up to scratch. Apologizes for the delay in communication over the matter and ensure we want to resolve the issues. |
No worries. Thanks so much! |
Describe the bug
In updating from AlmaLinux 9.3 to 9.4, Apache and a number of its modules were also updated. The Apache log format slightly changed, breaking both Fail2Ban and CrowdSec's modsecurity parsing. In my setup, the first iteration of
[client: ...]
in the logs was changed to[remote: ...]
. Fail2Ban implemented a fix for this 3 months ago and I suggest that CrowdSec's modsecurity.yaml be edited to allow what is currently the first reference of[client: ...]
to be either[client: ...]
or[remote: ...]
inAPACHEERRORPREFIX2:
To Reproduce
Update Apache httpd to 2.4.57-8 as part of upgrading AlmaLinux 9.3 to AlmaLinux 9.4.
Expected behavior
I expected the Apache log format to stay consistent and for CrowdSec's modsecurity parser to continue to parse Apache error logs successfully.
Additional context
Editing the
APACHEERRORPREFIX2:
line in modsecurity.yaml, changing the first reference of[client: ...]
to[remote: ...]
fixed my problem.The text was updated successfully, but these errors were encountered: