-
Notifications
You must be signed in to change notification settings - Fork 26
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add the context on Envoy requests to the audit logs #256
Conversation
@sfc-gh-msathe I really love you brought this up. We have a couple of issues around this in corazawaf/coraza#711 and #166 where I was specifically targeting specifically request ID. What I think we could do as discussed in corazawaf/coraza#711 we could:
As per coraza-proxy-wasm we could add the slice |
// A convenience method to register the request information with the audit logger if available | ||
// on the request (else ignores). Must be called in the request context. | ||
func registerRequestContextWithLogger(auditLogger *ContextualAuditLogger, txnId string) { | ||
if id, err := proxywasm.GetHttpRequestHeader(envoyRequestIdHeader); err == nil { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If this is a request header, shouldn't it be automatically outputted in the headers (B) part of audit logs?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah I see in corazawaf/coraza#711 there is the issue that all headers are printed which may not be desired. That seems like a big issue with seclang syntax, I would first add a config to seclang to set an allow or deny list for logging headers as without it the B part seems implementation seems incomplete.
While generic selection of variables for logging may have a different use case, for headers it doesn't seem like it should be needed, we already have a part for it we should improve that.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I could be wrong but it seems like the WASM filter here can't really print all the parts and just a fixed set of params are printed. See this issue I opened: #255
Is this not correct? I didn't find anything in the code that might print anything but these:
https://github.com/corazawaf/coraza-proxy-wasm/blob/main/wasmplugin/plugin.go#L699
The ErrorLog() method is here:
https://github.com/corazawaf/coraza/blob/f68d1c208791d741581a7d413c32777fbd74c611/internal/corazarules/rule_match.go#L254
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Again, I am fairly new to this so I could be wrong
This is not yet fully baked and I am here to get feedback on various choices. The motivation here is to bring a traceability between the Coraza audit logs and the envoy request logs by including the
x-request-id
header value in the audit logs.This won't affect any of the existing usage as this inclusion is controlled by the
include_request_id_in_audit_logs
configuration.I am looking for feedback over:
include_request_id_in_audit_logs
vs something broader like include a list of request headers with given labels.I understand this lacks unit tests and the code could be cleaner but I am waiting for a general agreement over the approach before committing the time.
Thanks all!