diff --git a/configmap.tf b/configmap.tf index 2ab9ee7..40ff2d9 100644 --- a/configmap.tf +++ b/configmap.tf @@ -39,6 +39,21 @@ resource "kubernetes_config_map" "fluent-bit-config" { Storage.type filesystem Storage.pause_on_chunks_overlimit True + [INPUT] + Name tail + Alias modsec_nginx_ingress_debug + Tag cp-ingress-modsec-debug.* + Path /var/log/debug/**/**/* + Parser docker + Refresh_Interval 5 + Buffer_Max_Size 5MB + Buffer_Chunk_Size 1M + Offset_Key pause_position_modsec-debug + DB cp-ingress-modsec-debug.db + DB.locking true + Storage.type filesystem + Storage.pause_on_chunks_overlimit True + [INPUT] Name tail Alias modsec_nginx_ingress_stdout @@ -94,6 +109,20 @@ resource "kubernetes_config_map" "fluent-bit-config" { Reserve_Data On Preserve_Key On + [FILTER] + Name lua + Match cp-ingress-modsec-debug.* + script /fluent-bit/scripts/cb_extract_tag_value.lua + call cb_extract_tag_value + + [FILTER] + Name parser + Parser generic-json + Match cp-ingress-modsec-debug.* + Key_Name log + Reserve_Data On + Preserve_Key On + [OUTPUT] Name opensearch Alias modsec_nginx_ingress_audit @@ -257,6 +286,24 @@ resource "kubernetes_config_map" "logrotate_config" { copytruncate maxage 1 } + + /var/log/debug/**/**/* { + hourly + rotate 0 + missingok + maxage 1 + } + + /var/log/debug/*.log { + su root 82 + hourly + rotate 2 + missingok + compress + delaycompress + copytruncate + maxage 1 + } EOT } diff --git a/templates/modsecurity.conf b/templates/modsecurity.conf index 95eb15b..a91b202 100644 --- a/templates/modsecurity.conf +++ b/templates/modsecurity.conf @@ -214,8 +214,8 @@ SecDataDir /tmp/ # The default debug log configuration is to duplicate the error, warning # and notice messages from the error log. # -#SecDebugLog /opt/modsecurity/var/log/debug.log -#SecDebugLogLevel 3 +SecDebugLog /var/log/debug/debug.log +SecDebugLogLevel 0 # -- Audit log configuration ------------------------------------------------- @@ -231,7 +231,7 @@ SecAuditLogRelevantStatus "^(?:5|4(?!04))" SecAuditLogParts AEFHKZ # Use a single file for logging. This is much easier to look at, but -# assumes that you will use the audit log only ocassionally. +# assumes that you will use the audit log only occasionally. # SecAuditLogType Concurrent diff --git a/templates/values.yaml.tpl b/templates/values.yaml.tpl index a620e95..344a18c 100644 --- a/templates/values.yaml.tpl +++ b/templates/values.yaml.tpl @@ -58,6 +58,8 @@ controller: ## Additional volumeMounts to the controller main container. - name: logs-volume mountPath: /var/log/audit/ + - name: logs-debug-volume + mountPath: /var/log/debug/ - name: modsecurity-nginx-config mountPath: /etc/nginx/modsecurity/modsecurity.conf subPath: modsecurity.conf @@ -75,10 +77,12 @@ controller: extraInitContainers: - name: init-file-permissions image: busybox - command: ["sh", "-c", "chmod -R 777 /var/log/audit"] + command: ["sh", "-c", "chmod -R 777 /var/log/audit /var/log/debug"] volumeMounts: - name: logs-volume mountPath: /var/log/audit + - name: logs-debug-volume + mountPath: /var/log/debug extraContainers: - name: flb-modsec-logs @@ -92,6 +96,8 @@ controller: mountPath: /fluent-bit/scripts/ - name: logs-volume mountPath: /var/log/audit/ + - name: logs-debug-volume + mountPath: /var/log/debug/ - name: varlog-pods mountPath: /var/log/pods/ - name: varlog-containers @@ -123,6 +129,8 @@ controller: mountPath: /home - name: logs-volume mountPath: /var/log/audit/ + - name: logs-debug-volume + mountPath: /var/log/debug/ resources: requests: cpu: "100m"