审计日志无法记录body字段（The audit log cannot record the body field）

[jumppppp]

这是我的代码：
（this is my code）
`package main

import (
"fmt"
"log"
"net/http"

"github.com/corazawaf/coraza/v3"
"github.com/corazawaf/coraza/v3/debuglog"
"github.com/corazawaf/coraza/v3/types"

)

func main() {

corazaConfig := coraza.NewWAFConfig().
	WithDirectivesFromFile("rules.conf").
	WithRequestBodyAccess().
	WithResponseBodyAccess().
	WithDebugLogger(debuglog.Default()).
	WithErrorCallback(func(rule types.MatchedRule) {
		log.Printf("WAF Error: %+v", rule)
	})

waf, err := coraza.NewWAF(corazaConfig)
if err != nil {
	fmt.Println(err)
}

// 创建 HTTP 处理器
http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
	// 创建 WAF 事务
	tx := waf.NewTransaction()

	tx.ProcessConnection(r.RemoteAddr, 0, r.Host, 0)
	tx.ProcessURI(r.RequestURI, r.Method, r.Proto)

	// 设置服务器名
	tx.SetServerName(r.Host)
	// 处理请求头
	for name, values := range r.Header {
		for _, value := range values {
			tx.AddRequestHeader(name, value)
		}
	}
	tx.ProcessRequestHeaders()
	// 处理请求体
	if r.Body != nil {

		fmt.Println(tx.ReadRequestBodyFrom(r.Body))
	}

	// 处理请求
	tx.ProcessRequestBody()

	// 检查是否有阻止
	if tx.Interruption() != nil {
		http.Error(w, "Request Blocked", http.StatusForbidden)
		return
	}

	// 示例响应
	responseBody := "Hello, World!"

	// 处理响应头
	w.Header().Set("Content-Type", "text/plain")
	tx.AddResponseHeader("Content-Type", "text/plain")

	// 处理响应体
	tx.WriteResponseBody([]byte(responseBody))

	// 处理响应
	tx.ProcessResponseHeaders(200, "HTTP/1.1")

	// 写入响应体
	fmt.Fprintln(w, responseBody)

	// 处理响应体结束
	tx.ProcessResponseBody()

	tx.ProcessLogging()
	// 关闭事务
	tx.Close()
})

// 启动 HTTP 服务器
log.Println("Starting server on :5050")
log.Fatal(http.ListenAndServe("0.0.0.0:5050", nil))

}
这是我的规则： （this is my rules）SecRuleEngine On
SecRequestBodyAccess On
SecResponseBodyAccess On
SecAuditEngine On
SecAuditLogParts ABIJDEFHZ
SecAuditLogFormat JSON
SecAuditLog ./audit.json

添加规则，匹配所有请求并记录审计日志

SecRule REQUEST_METHOD "@Streq POST"
"id:1001,phase:1,log,auditlog,msg:'POST request detected',tag:'POST-Request-RuleSet'"
我是用curl 进行测试访问，如下C:\Users\28177>curl -v -X POST http://127.0.0.1:5050/ -d "key1=value1&key2=value2"
Note: Unnecessary use of -X or --request, POST is already inferred.

• Trying 127.0.0.1:5050...
• Connected to 127.0.0.1 (127.0.0.1) port 5050

POST / HTTP/1.1
Host: 127.0.0.1:5050
User-Agent: curl/8.7.1
Accept: /
Content-Length: 23
Content-Type: application/x-www-form-urlencoded

• upload completely sent off: 23 bytes
  < HTTP/1.1 200 OK
  < Content-Type: text/plain
  < Date: Sun, 14 Jul 2024 04:51:30 GMT
  < Content-Length: 14
  <
  Hello, World!
• Connection #0 to host 127.0.0.1 left intact`

最后audit记录的内容为：
（The content recorded in the final audit is:）

{"transaction":{"timestamp":"2024/07/14 12:51:30","unix_timestamp":1720932690441861500,"id":"MSUmuRhwfytUyCVFVRy","client_ip":"127.0.0.1:35335","client_port":0,"host_ip":"127.0.0.1:5050","host_port":0,"server_id":"127.0.0.1:5050","request":{"method":"POST","protocol":"HTTP/1.1","uri":"/","http_version":"","headers":{"accept":["*/*"],"content-length":["23"],"content-type":["application/x-www-form-urlencoded"],"user-agent":["curl/8.7.1"]},"body":"","files":null},"response":{"protocol":"","status":200,"headers":{"content-type":["text/plain"]},"body":""},"producer":{"connector":"","version":"","server":"","rule_engine":"On","stopwatch":"1720932690441861500 2256200; combined=1747500, p1=1747500, p2=0, p3=0, p4=0, p5=0","rulesets":null}}}
问题：为什么我在代码和规则中都启用的body记录，但是body字段确实空的，哪位神仙可以帮助一下
（Question: Why do I enable the body record in both the code and rules, but the body field is indeed empty? Which immortal can help）

[M4tteoP]

Hi @jumppppp, take a look at the details of SecAuditLogParts. Based on your code I see that you are using SecAuditLogParts ABIJDEFHZ, but C is also needed to log the request body.
Hope it helps,
Matteo