From ea5add6f5cdbe2c502178b09012d782ff991f9de Mon Sep 17 00:00:00 2001
From: Manuel Alejandro de Brito Fontes <aledbf@gmail.com>
Date: Tue, 24 Sep 2019 14:44:48 -0300
Subject: [PATCH] Rollback change of ModSecurity setting SecAuditLog

---
 docs/user-guide/third-party-addons/modsecurity.md | 4 ++--
 images/nginx/rootfs/build.sh                      | 5 +++--
 2 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/docs/user-guide/third-party-addons/modsecurity.md b/docs/user-guide/third-party-addons/modsecurity.md
index 25265d96a..c036bbdc3 100644
--- a/docs/user-guide/third-party-addons/modsecurity.md
+++ b/docs/user-guide/third-party-addons/modsecurity.md
@@ -8,8 +8,8 @@ The default ModSecurity configuration file is located in `/etc/nginx/modsecurity
 To enable the ModSecurity feature we need to specify `enable-modsecurity: "true"` in the configuration configmap.
 
 >__Note:__ the default configuration use detection only, because that minimizes the chances of post-installation disruption.
-The file `/var/log/modsec_audit.log` contains the log of ModSecurity.
-
+Due to the value of the setting [SecAuditLogType=Concurrent](https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#secauditlogtype) the ModSecurity log is stored in multiple files inside the directory `/var/log/audit`.
+The default `Serial` value in SecAuditLogType can impact performance.
 
 The OWASP ModSecurity Core Rule Set (CRS) is a set of generic attack detection rules for use with ModSecurity or compatible web application firewalls. The CRS aims to protect web applications from a wide range of attacks, including the OWASP Top Ten, with a minimum of false alerts.
 The directory `/etc/nginx/owasp-modsecurity-crs` contains the [owasp-modsecurity-crs repository](https://github.com/SpiderLabs/owasp-modsecurity-crs).
diff --git a/images/nginx/rootfs/build.sh b/images/nginx/rootfs/build.sh
index c2055cb7b..8064c6363 100755
--- a/images/nginx/rootfs/build.sh
+++ b/images/nginx/rootfs/build.sh
@@ -332,8 +332,8 @@ cp unicode.mapping /etc/nginx/modsecurity/unicode.mapping
 # Replace serial logging with concurrent
 sed -i 's|SecAuditLogType Serial|SecAuditLogType Concurrent|g' /etc/nginx/modsecurity/modsecurity.conf
 
-# Use stdout for modsecurity logs
-sed -i 's|SecAuditLog /var/log/modsec_audit.log|SecAuditLog /dev/stdout|g' /etc/nginx/modsecurity/modsecurity.conf
+# Concurrent logging implies the log is stored in several files
+echo "SecAuditLogStorageDir /var/log/audit/" >> /etc/nginx/modsecurity/modsecurity.conf
 
 # Download owasp modsecurity crs
 cd /etc/nginx/
@@ -576,6 +576,7 @@ writeDirs=( \
   /opt/modsecurity/var/log \
   /opt/modsecurity/var/upload \
   /opt/modsecurity/var/audit \
+  /var/log/audit \
 );
 
 for dir in "${writeDirs[@]}"; do