A Grafana dashboard for JSON-formatted kubernetes ingress-nginx modsecurity logs.
This dashbboard is a heavily-modified derivative of the NGINX ModSecurity OWASP CRS V0.0 dashboard by coffeeflash. They discus more about it's creation in this blog post. I have modified the dashboard to use JSON logs collected from /dev/stdout and changed some formatting for readability.
- Kubernetes ingress-nginx with metrics and modsecurity enabled
- Modesecurity log format set to
JSON - Modsecurity log output path
/dev/stdout - Kube-Prometheus-Stack (Prometheus, Grafana)
- Loki-Stack (Promtail, Loki)
-
Update the Nginx configmap:
kubectl edit configmap -n ingress-nginx ingress-nginx-controller
-
Enable modsecurity:
apiVersion: v1 data: # ... allow-snippet-annotations: "true" enable-modsecurity: "true" enable-owasp-modsecurity-crs: "true" load-balance: ewma modsecurity-snippet: |- SecRuleEngine DetectionOnly SecAuditEngine RelevantOnly SecStatusEngine On SecRequestBodyAccess On SecAuditLog /dev/stdout SecAuditLogFormat JSON # ...
-
Expose metrics
helm upgrade ingress-nginx ingress-nginx \ --repo https://kubernetes.github.io/ingress-nginx \ --namespace ingress-nginx \ --set controller.metrics.enabled=true \ --set-string controller.podAnnotations."prometheus\.io/scrape"="true" \ --set-string controller.podAnnotations."prometheus\.io/port"="10254"