Add custom leading text to audit log lines

[szedenik-adam]

what

This PR introduces a new property: SecAuditLogHeader, that allows audit logs to have a customizable text that is prepended to each line.
Acts as a basic version of Apache HTTP Server's LogFormat.

why

In Kubernetes, the pods' log is taken from stdout and to use applications that directly log to stdout, we need to differentiate each log source (in this case, ModSecurity's audit log and the application's own log).

references

https://kubernetes.io/docs/concepts/cluster-administration/logging/

[airween]

Hi @szedenik-adam,

first of all, many thanks for this PR.

I have only two notes:

• probably you saw SonarCloud's new issues
  • seclang-scanner.cc issues are not relevant, that's a generated file by Bison
  • I don't expect you to change the existing codes, but if you think you're able to fix this, that would be fine (this issue is an old one, but with every small changes we can reduce the number of Sonar issues)
  • finally, I think you could consider to fix this issue at least
• the other request is could you add this new feature to our Wiki? I know that's a bit painful, because you have to clone the whole Wiki, and nobody can change the content, so you should send me the patch - but it's easy to see that all documentation is necessary

Let me know if you need any help, and thank you again.

[szedenik-adam]

Hi @airween,

thank you for your feedback.

I don't expect you to change the existing codes, but if you think you're able to fix this, that would be fine

Sure, I can replace the initializer list with in-class initializers. I used the initializer list approach there because I didn't want to break the existing code's "pattern" (and I also prefer that approach because with that, the constructor contains the member variable initializations).

finally, I think you could consider to fix this issue at least

Yes, of course. There I used std::basic_string<char> because of the same reason.

could you add this new feature to our Wiki?

Yes, I planned to do that, I just wanted to wait until I get approval of this PR to avoid doing unnecessary work.

[airween]

Sure,

Yes,

Yes,

Excellent, thank you!

[szedenik-adam]

wiki patch: modsec_wiki_auditlog_header.patch

[airween]

Hi @szedenik-adam,

thanks for modifications - unfortunately there are two new issues in SonarCloud. Could you take a look at them?

[szedenik-adam]

unfortunately there are two new issues in SonarCloud. Could you take a look at them?

yes, I will adapt the code according to those hints

[sonarqubecloud]

Quality Gate passed

Issues
7 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.1% Duplication on New Code

See analysis details on SonarQube Cloud

[airween]

wiki patch: modsec_wiki_auditlog_header.patch

Thanks - could you add some real life example? I mean how will look like a line if the admin sets this directive. Also if it's possible, put examples in case of JSON and native.

[szedenik-adam]

Added example and limitation that the parameter is only used when SecAuditLogFormat is set to native: modsec_wiki_auditlog_header.patch