Hi,
I enabled the K section and it's quite detailed, however it doesn't mention the parameter that triggered each matching rule.
While the H section indicates things like
TX:950109-OWASP_CRS/PROTOCOL_VIOLATION/EVASION-ARGS:sqlQuery.
the K section will show
%{rule.id}-OWASP_CRS/WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"

Avi

On 2013-05-23, at 6:47 PM, Christian Folini <christian.folini@time-machine.ch> wrote:

Hi Avi,

Did you try the "K"-part of the audit-log?

Christian

On Thu, May 23, 2013 at 05:47:51PM +0300, Avi Rosenblatt wrote:
Hi,
I'm currently using anomaly scoring with owasp 2.2.6 (modsec 2.7.3) and I want the detailed audit log to contain all rules that the request hit. Right now the log only shows the rule that caused the 403 and none of the others that contributed to the score. Can anyone help with the config?

Thanx
Avi
------------------------------------------------------------------------------
Try New Relic Now & We'll Send You this Cool Shirt
New Relic is the only SaaS-based application performance monitoring service
that delivers powerful full stack analytics. Optimize and monitor your
browser, app, & servers with just a few lines of code. Try New Relic
and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_may
_______________________________________________
mod-security-users mailing list
mod-security-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

Avi Rosenblatt
IT Manager
305-600-4362
-------------------------
Green Smoke, Inc. USA
It's Electric™