On 29/10/2010 22:40, Ryan Barnett wrote: > On 10/29/10 3:37 PM, "Ryan Barnett" <[email protected]> wrote: > >> On 10/29/10 3:28 PM, "George Notaras" <[email protected]> wrote: >> >>> On 29/10/2010 21:48, Ryan Barnett wrote: >>>> - Users can now more easily toggle between traditional/standard mode vs. >>>> anomaly scoring mode >>>> by editing the modsecurity_crs_10_config.conf file >>> >>> Hello list, >>> >>> This is the first time I post to this mailing list, so I'd like to say >>> thanks to all who have contributed to this project. >>> >>> I have several questions about the ruleset, but, for now, reading about >>> this new feature I'd like to ask whether toggling to standard mode also >>> reverts logging back to the mod-security default, which records every >>> message to the apache's error_log using the old format. >>> >>> Thanks in advance. >> >> Good question and the answer is yes. In the 10 config file, you can edit >> the SecDefaultAction setting to suit your needs - >> >> # You can also decide how you want to handle logging actions. You have >> three options - >> # >> # - To log to both the Apache error_log and ModSecurity audit_log file >> use - log >> # - To log *only* to the ModSecurity audit_log file use - >> nolog,auditlog >> # - To log *only* to the Apache error_log file use - log,noauditlog >> # >> SecDefaultAction "phase:2,pass,nolog,auditlog" >> > > Just to clarify - the Anomaly Scoring Mode vs. Standard Mode is really about > whether you want a single rule to block or not. When talking about logging, > you can choose where you want to log events regardless of anomaly scoring or > standard detection mode. > > So, you can run in anomaly scoring mode *and* also log to both the audit and > error logs if you wish. > > Hope this helps, > Ryan
Thanks for the clarification. Although you had also written it in the first message: - Removed logging actions from most rules so that it can be controlled from the SecDefaultAction setting in the modsecurity_crs_10_config.conf file ... it seems that I didn't pay much attention to that new improvement. Some of my questions had to do with the logging actions being hard-coded into every rule, but now this is no more an issue for me. Thanks for your reply and also for these excellent improvements. _______________________________________________ Owasp-modsecurity-core-rule-set mailing list [email protected] https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
