ModSecurity logging
Hello,
I installed the basic OWASP rules for ModSecurity, but now my logs in ModSecurity Tools are becoming really big, really fast.
I tried, for many hours, to find the configuration to disable the log of non-critical rules, like a missing Accept Header (like the one used by PingDom), but it does not work.
What I tried:
1. Changing the Audit Log Level to Only log noteworthy transactions
2. Adding SecAuditLogRelevantStatus (using many different prefixes)
3. And plenty little steps that didn't work
I am currently using the "Anomaly" rules, and it works great. I understand the logs are using MySQL, but I cannot find where this setting is enabled.
I guess I am missing something.
Thank you for your help
-
the MySQL stuff is pulled by cPanel from the modsec audit log. Audit log data is more verbose than what gets dumped into the apache error log (although, the way cPanel processes it you lose a lot of the useful stuff like POST data from the audit log). In short, log and auditlog are two different things; basic log info goes to the apache error log, verbose info to the modsec audit log. If you really don't want particular rules to log to either, you can add a "nolog" action to the rules themselves, like this: SecRule REQUEST_HEADERS:User-Agent "Test" "deny,nolog,id:121" Honestly though, it's typically worth keeping the logs and audit logs around, they're just text, it really doesn't take up that much disk space. You could also use "noauditlog" instead of "nolog" to keep the basic data in the apache error log, but it won't show up in WHM since that pulls from audit log afaik. 0 -
I finally added the nolog and noauditlog to the rules I don't wanted Thank you 0
Please sign in to leave a comment.
Comments
2 comments