Reference Manual: https://sourceforge.net/apps/mediawiki/mod-security/index.php?title=Reference_Manual#SecAuditEngine<https://sourceforge.net/apps/mediawiki/mod-security/index.php?title=Reference_Manual#SecDebugLog> https://sourceforge.net/apps/mediawiki/mod-security/index.php?title=Reference_Manual#SecAuditLogRelevantStatus https://sourceforge.net/apps/mediawiki/mod-security/index.php?title=Reference_Manual#SecAuditLogParts https://sourceforge.net/apps/mediawiki/mod-security/index.php?title=Reference_Manual#SecAuditLogType https://sourceforge.net/apps/mediawiki/mod-security/index.php?title=Reference_Manual#SecAuditLog
Current setting: # -- Audit log configuration ------------------------------------------------- # Log the transactions that are marked by a rule, as well as those that # trigger a server error (determined by a 5xx or 4xx, excluding 404, # level response status codes). # SecAuditEngine RelevantOnly SecAuditLogRelevantStatus "^(?:5|4(?!04))" # Log everything we know about a transaction. SecAuditLogParts ABIJDEFHKZ # Use a single file for logging. This is much easier to look at, but # assumes that you will use the audit log only ocassionally. # SecAuditLogType Serial SecAuditLog /var/log/modsec_audit.log # Specify the path for concurrent audit logging. #SecAuditLogStorageDir /opt/modsecurity/var/audit/ Rationale: While audit logging everything is ideal from an incident response perspective, for initial deployment setting SecAuditEngine to RelevantOnly is a good idea. The SecAuitLogRelevantStatus will log all 5xx/4xx level status code responses (except 404s). The default audit log type is Serial. If you want to use mlogc to send the audit logs off to a remote location then you will need to update this to use Concurrent. ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. _______________________________________________ Owasp-modsecurity-core-rule-set mailing list [email protected] https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
