ModSecurity Audit Log Blank although block is logged to error.log

Discussion in 'General' started by c0ldshadow, Jan 3, 2013.

  1. c0ldshadow

    c0ldshadow New Member

    ModSecurity Audit Log issue - audit log not written to in chain rules

    Hi, I have question about the audit log.

    The following rule I have in one vhost. Upon accessing test.php, as expected, a full capture goes into the audit log

    SecRule REQUEST_URI "/test\.php" auditlog,deny


    However...

    SecRule REQUEST_URI "/test\.php" chain
    SecRule ARGS:username "blah" auditlog,deny

    ^ the above rule DOES block my request and it logs to error.log. But nothing gets logged to the auditlog. The Audit Log only fails to get written to in rules with chain in it.

    Any idea how to make chain rule blocks go to the auditlog as well?

    Some settings, server level:

    Enable Request Filtering
    Yes

    Debug Log Level
    9

    Default Action
    Not Set


    Scan Request Body
    Yes

    Disable .htaccess Override
    Not Set

    Enable Security Audit Log
    Yes


    Security Audit Log
    /removed/audit.log
    Last edited: Jan 3, 2013
  2. c0ldshadow

    c0ldshadow New Member

    I have made some progress on this..

    auditlog appears to work for chained rules when the rules are set at the server level, not vhost.

Share This Page