Thanks for clearing that up. I get it now.


Ivan Ristic wrote:
Linh Vu wrote:

Thanks for your reply. I currently have 1 AuditLog at httpd.conf level
to log all virtual hosts. I take it that if I add SecGuardianLog
/path/to/httpd-guardian at that same level, it will scan every request
that gets logged in AuditLog and act accordingly?

  The idea is to send information about *every* request to the
  guardian log.

I'm confused by this
paragraph in httpd-guardian script:

# NOTE: In order for this script to be effective it must be able to
#       see all requests coming to the web server. This will not happen
#       if you are using per-virtual host logging. In such cases either
#       use the ModSecurity 1.9 SecGuardianLog directive (which was designed
#       for this very purpose).

So does "per-virtual host logging" here refer to the Audit Log?

  No, it refers to the case when you are using this facility without
  ModSecurity. In that case you will need to ensure all requests are
  sent to httpd-guardian.

  If you are using ModSecurity - it does that for you.

means that if I have multiple AuditLogs for the virtual hosts,
SecGuardianLog won't be effective, right?

  No, audit log and guardian log are not related.


Linh Vu - Web/DB and Systems Support officer
School of Physics, The University of Melbourne
Office: 8344 8093  Email: