logging

2023-08-21 15:34:18 +02:00 · 2023-08-21 15:34:18 +02:00 · 4846701ed5
commit 4846701ed5
parent a4ee1e717e
2 changed files with 32 additions and 8 deletions
--- a/pkg/acquisition/modules/waf/utils.go
+++ b/pkg/acquisition/modules/waf/utils.go
@ -10,6 +10,7 @@ import (
 	"github.com/crowdsecurity/crowdsec/pkg/types"
 	"github.com/crowdsecurity/crowdsec/pkg/waf"
 	"github.com/prometheus/client_golang/prometheus"
+	log "github.com/sirupsen/logrus"
 )

 func EventFromRequest(r waf.ParsedRequest) (types.Event, error) {
@ -47,12 +48,26 @@ func EventFromRequest(r waf.ParsedRequest) (types.Event, error) {
 	return evt, nil
 }

-func LogWaapEvent(evt *types.Event) {
-	/*log.WithFields(log.Fields{
-		"module":     "waf",
-		"source":     evt.Parsed["source_ip"],
-		"target_uri": evt.Parsed["target_uri"],
-	}).Infof("%s triggered %d rules [%+v]", evt.Parsed["source_ip"], len(evt.Waap), evt.Waap.GetRuleIDs())*/
+func LogWaapEvent(evt *types.Event, logger *log.Entry) {
+	req := evt.Parsed["target_uri"]
+	if len(req) > 12 {
+		req = req[:10] + ".."
+	}
+
+	if evt.Parsed["interrupted"] == "true" {
+		logger.WithFields(log.Fields{
+			"module":     "waf",
+			"source":     evt.Parsed["source_ip"],
+			"target_uri": req,
+		}).Infof("%s blocked on %s (%d rules) [%v]", evt.Parsed["source_ip"], req, len(evt.Waap.MatchedRules), evt.Waap.GetRuleIDs())
+	} else {
+		logger.WithFields(log.Fields{
+			"module":     "waf",
+			"source":     evt.Parsed["source_ip"],
+			"target_uri": req,
+		}).Debugf("%s triggerd non-blocking rules on %s (%d rules) [%v]", evt.Parsed["source_ip"], req, len(evt.Waap.MatchedRules), evt.Waap.GetRuleIDs())
+	}
+
 	//log.Infof("%s", evt.Waap)
 }

@ -63,6 +78,11 @@ func LogWaapEvent(evt *types.Event) {

 */

+// func LogWaapEvent(evt *types.Event) error {
+
+// 	return nil
+// }
+
 func (r *WafRunner) AccumulateTxToEvent(tx experimental.FullTransaction, kind string, evt *types.Event) error {

 	//log.Infof("tx addr: %p", tx)
--- a/pkg/acquisition/modules/waf/waf.go
+++ b/pkg/acquisition/modules/waf/waf.go
@ -543,6 +543,7 @@ func (r *WafRunner) Run(t *tomb.Tomb) error {
 					}
 				}
 			}
+			logged := false
 			//measure the full time spent in the WAF
 			elapsed := time.Since(startParsing)
 			WafInbandParsingHistogram.With(prometheus.Labels{"source": request.RemoteAddr}).Observe(elapsed.Seconds())
@ -558,7 +559,8 @@ func (r *WafRunner) Run(t *tomb.Tomb) error {
 				if err != nil {
 					return fmt.Errorf("cannot convert transaction to event : %w", err)
 				}
-				LogWaapEvent(evt)
+				LogWaapEvent(evt, r.logger)
+				logged = true
 				r.outChan <- *evt
 			}
 			expTx.Close()
@ -591,7 +593,9 @@ func (r *WafRunner) Run(t *tomb.Tomb) error {
 				// expTx.MatchedRules() returns also rules that set variables
 				// in evt.Waap.MatchedRules we have filtered those rules
 				if len(evt.Waap.MatchedRules) > 0 {
-					LogWaapEvent(evt)
+					if !logged {
+						LogWaapEvent(evt, r.logger)
+					}
 					r.outChan <- *evt
 				}
 			}