No error log if noauditlog is set

[Rapsody09]

Describe the bug

The rule like this example below does not log anything at all in error log, I have to activate auditlog instead noauditlog to get log in error log (and also in audit log, but this is not what I want):

SecRule REQUEST_URI "@beginsWith /" "id:1000100,phase:1,log,noauditlog,pass,severity:INFO,logdata:'Test'"

Expected behavior

For every request beginning with / the rule above should log in error log only, and no audit log, but I get no log at all.
I have to active audit log to make the log appear in both error log and audit log, but I so not want any audit log for this rule.

Server (please complete the following information):

• ModSecurity version (and connector): ModSecurity v3.0.12 with nginx-connector v1.0.3
• WebServer: nginx/1.24.0
• OS (and distro): Linux, Debian 11.9

Rule Set (please complete the following information):

• CRS 3.3.5

Additional context

My log config is configured like this :

     #SecDebugLog /var/log/nginx/error.log
      SecDebugLogLevel 0

      SecAuditEngine RelevantOnly
      SecAuditLogRelevantStatus "^(?:5|4(?!04))"
      SecAuditLogFormat JSON

      SecAuditLogType Serial
      SecAuditLog /var/log/nginx/error.log

[airween]

Hi @Rapsody09,

could you show your Nginx's error_log setting?

Please note that you should pass a severity level to that. The minimum level is what you want to see in your error.log.

I suggest you to set up something like this:

    error_log /var/log/nginx/error.log info;

[Rapsody09]

Than @airween for your help,

Here is my nginx log setting :

          # logging
          access_log          /var/log/nginx/access.log custom;
          error_log           /var/log/nginx/error.log info;

I tried some things without success : for example increasing severity in the rule to EMERGENCY instead INFO
Better thing I found is to disable the auditEngine : log,ctl:auditEngine=off, but if I understand well il will disable audit log for all rules ? And that also not what I want ...

[airween]

Hi @Rapsody09,

thanks - seems like it's a new bug that you've found.

Better thing I found is to disable the auditEngine : log,ctl:auditEngine=off, but if I understand well il will disable audit log for all rules ?

Yes, that turns off the auditlog engine for whole transaction.

And that also not what I want ...

What do you want to achieve? What's your aim?

[Rapsody09]

I use this kind of log to trace specific actions on my web applications (For example specific usage of an API key, connection from a specific IP). I was using a lot like that with modsecurity 2.9 / apache without any issue, but I just migrated to 3.X / nginx recently and wanted to do the same :)

[airween]

Hi @Rapsody09,

sorry for the late reply.

I think this is a known bug in libmodsecurity3 - meanwhile I faced this problem somewhere else, so we have to fix that.

Thanks for your report.