[Resolved] SecDebugLogLevel not working correctly

Status
Not open for further replies.

innovot

Well-Known Member
#1
According to the documentation one should set:
  • 1 - errors (intercepted requests) only.
for hits to be logged into Apache's error log but I have added SecDebugLogLevel 1 and nothing at all is being logged ?!?

If somebody is using LSWS with Apache configuration files, and are having hits logged, would they mind sharing their configuration please. Should add that rules are being processed as I do see entries like the following in audit.log:

Code:
Message: Detected , [Rule: 'RESPONSE_STATUS' '200'] [id "377360"] [msg "Atomicorp.com WAF Rules - Login Failure Detection: Wordpress Login Attempt Failure "] [severity "WARNING"] [MatchedString "200"]
 
Last edited by a moderator:

innovot

Well-Known Member
#2
Interestingly I do see some events being logged eg.
Code:
 ModSecurity: Access denied with code 403, [Rule: 'REQUEST_HEADERS:User-Agent' 'python-requests/'] [id "332039"] [msg "Atomicorp.com WAF Rules: Suspicious Unusual User Agent (python-requests).  Disable this rule if you use python-requests/. "]
so does Litespeed only log events that trigger a 403 error ? if that is the case is there any way to log a rule that hits but returns a 200 response code ? we use OSSEC to correlate and take proactive measures based on the alerts and without it logging all hits we are a little stuck.
 
Last edited by a moderator:

mistwang

LiteSpeed Staff
#3
Please force reinstall to try latest build of 4.2.14, added error logging when a rule has been hit and SecDebugLogLevel is not 0.
 

innovot

Well-Known Member
#6
Hi George.

That is perfect and thank you so much for resolving so quickly.
Code:
[Wed Sep  3 19:24:22 2014] [error] [client 176.223.89.91] ModSecurity: Access denied with code -, [Rule: 'RESPONSE_STATUS' '200'] [id "377360"] [msg "Atomicorp.com WAF Rules - Login Failure Detection: Wordpress Login Attempt Failure "]
 
Last edited by a moderator:
Status
Not open for further replies.
Top