Modsecurity Dashboard

A Grafana dashboard for JSON-formatted kubernetes ingress-nginx modsecurity logs.

Acknowledgement

This dashbboard is a heavily-modified derivative of the NGINX ModSecurity OWASP CRS V0.0 dashboard by coffeeflash. They discus more about it's creation in this blog post. I have modified the dashboard to use JSON logs collected from /dev/stdout and changed some formatting for readability.

Requirements

Kubernetes ingress-nginx with metrics and modsecurity enabled
Modesecurity log format set to JSON
Modsecurity log output path /dev/stdout
Kube-Prometheus-Stack (Prometheus, Grafana)
Loki-Stack (Promtail, Loki)

Enable NGINX MOD Security + Metrics

Update the Nginx configmap:

kubectl edit configmap -n ingress-nginx ingress-nginx-controller

Enable modsecurity:

apiVersion: v1
data:
  # ...
  allow-snippet-annotations: "true"
  enable-modsecurity: "true"
  enable-owasp-modsecurity-crs: "true"
  load-balance: ewma
  modsecurity-snippet: |-
    SecRuleEngine DetectionOnly
    SecAuditEngine RelevantOnly
    SecStatusEngine On
    SecRequestBodyAccess On
    SecAuditLog /dev/stdout
    SecAuditLogFormat JSON
  # ...

Expose metrics

helm upgrade ingress-nginx ingress-nginx \
--repo https://kubernetes.github.io/ingress-nginx \
--namespace ingress-nginx \
--set controller.metrics.enabled=true \
--set-string controller.podAnnotations."prometheus\.io/scrape"="true" \
--set-string controller.podAnnotations."prometheus\.io/port"="10254"

About

A Grafana dashboard for JSON formatted kubernetes ingress-nginx modsecurity logs for use with Kuber-Pormetheus-Stack and Loki-Stack

MIT License