On 10/29/10 3:37 PM, "Ryan Barnett" <[email protected]> wrote:
> On 10/29/10 3:28 PM, "George Notaras" <[email protected]> wrote: > >> On 29/10/2010 21:48, Ryan Barnett wrote: >>> - Users can now more easily toggle between traditional/standard mode vs. >>> anomaly scoring mode >>> by editing the modsecurity_crs_10_config.conf file >> >> Hello list, >> >> This is the first time I post to this mailing list, so I'd like to say >> thanks to all who have contributed to this project. >> >> I have several questions about the ruleset, but, for now, reading about >> this new feature I'd like to ask whether toggling to standard mode also >> reverts logging back to the mod-security default, which records every >> message to the apache's error_log using the old format. >> >> Thanks in advance. > > Good question and the answer is yes. In the 10 config file, you can edit > the SecDefaultAction setting to suit your needs - > > # You can also decide how you want to handle logging actions. You have > three options - > # > # - To log to both the Apache error_log and ModSecurity audit_log file > use - log > # - To log *only* to the ModSecurity audit_log file use - > nolog,auditlog > # - To log *only* to the Apache error_log file use - log,noauditlog > # > SecDefaultAction "phase:2,pass,nolog,auditlog" > Just to clarify - the Anomaly Scoring Mode vs. Standard Mode is really about whether you want a single rule to block or not. When talking about logging, you can choose where you want to log events regardless of anomaly scoring or standard detection mode. So, you can run in anomaly scoring mode *and* also log to both the audit and error logs if you wish. Hope this helps, Ryan _______________________________________________ Owasp-modsecurity-core-rule-set mailing list [email protected] https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
