LiteSpeed Support Forums

LiteSpeed Support Forums (http://www.litespeedtech.com/support/forum/index.php)
-   General (http://www.litespeedtech.com/support/forum/forumdisplay.php?f=25)
-   -   ModSecurity Audit Log Blank although block is logged to error.log (http://www.litespeedtech.com/support/forum/showthread.php?t=6523)

c0ldshadow 01-02-2013 06:53 PM
ModSecurity Audit Log issue - audit log not written to in chain rules
 
Hi, I have question about the audit log.

The following rule I have in one vhost. Upon accessing test.php, as expected, a full capture goes into the audit log

SecRule REQUEST_URI "/test\.php" auditlog,deny


However...

SecRule REQUEST_URI "/test\.php" chain
SecRule ARGS:username "blah" auditlog,deny

^ the above rule DOES block my request and it logs to error.log. But nothing gets logged to the auditlog. The Audit Log only fails to get written to in rules with chain in it.

Any idea how to make chain rule blocks go to the auditlog as well?

Some settings, server level:

Enable Request Filtering
Yes

Debug Log Level
9

Default Action
Not Set


Scan Request Body
Yes

Disable .htaccess Override
Not Set

Enable Security Audit Log
Yes


Security Audit Log
/removed/audit.log

c0ldshadow 01-02-2013 08:55 PM
I have made some progress on this..

auditlog appears to work for chained rules when the rules are set at the server level, not vhost.


All times are GMT -7. The time now is 08:37 PM.