hello Josh
my configuration is:

SecAuditLogType Concurrent

SecAuditLogStorageDir /var/log/apache2/mlogc/data

SecAuditLog "|/usr/bin/mlogc /etc/mlogc.conf"


but in folder mlogc/data I can see only empty folders, because mlogc transfers data to waf-fle db on another machine

log that I've sent you is from waf-fle interface

where can I catch all log?

Thanks

Daniele


Daniele Gallarato
______________________________________________________
Gli animali sono miei amici...e io non mangio i miei amici.

-- George Bernard Shaw

-- http://www.saicosamangi.info/ --


2013/11/7 Josh Amishav-Zlatin <jamuse@owasp.org>
On Thu, Nov 7, 2013 at 11:30 AM, Daniele Gallarato <daniele.gallarato@email.it> wrote:
Hello Josh.
Sorry for delay.
Here complete log:



Hi Daniele,

I am mostly after sections H and K from your audit log which are missing. 

--
 - Josh

Request Details

H E A D E R
Host: faxsrv.santanderconsumer.it
Connection: keep-alive
Content-Length: 2427273
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.1 (KHTML, like Gecko) Maxthon/4.1.3.4000 Chrome/26.0.1410.43 Safari/537.1
Origin: http://unifin2.santanderconsumer.it:8080
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryTvNYiutuTR0rcbFQ
DNT: 1
Referer: http://unifin2.santanderconsumer.it:8080/upload/uploadremoto_uf_.aspx?societa=UF&numpra=000000492600&stato=30&attributo=%20%20&user=MEDUN00303
Accept-Encoding: gzip,deflate
Accept-Language: it-IT
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response Details

H E A D E R
HTTP/1.1 200 OK
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 3821
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive

B O D Y
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head><title>
	Upload file
</title>
    <script type="text/javascript" src="http://unifin2.santanderconsumer.it:8080/ocsfeest/feest/scripts/OCSAPI.js" ></script> 
    <!-- <script type="text/javascript" src="http://192.168.50.43:8085/ocsfeest/feest/scripts/OCSAPI.js" ></script> -->
    <script type="text/javascript">
        var OCSprefix = false;
        function goWinBack() {
            document.getElementById('fileform').action = "http://unifin2.santanderconsumer.it:8080/upload/uploadremoto_uf_.aspx?resetta=true";
            document.fileform.submit();
        }

        function closeMyWin(outputHandler) {
            OCSprefix = getFeevoParentPrefix();
            if ((OCSprefix == "false") || (OCSprefix == false)) {
                OCSprefix = document.getElementById('hf_feevoParentPrefix').value;
            }
            parent.menuMouseDownRequest(OCSprefix + "." + "BTLOGOUT");
            outputHandler("OK");
        }

        function copy_feevoParentPrefix() {
            OCSprefix = document.getElementById('hf_feevoParentPrefix').value;
            if ( (OCSprefix == "false") || (OCSprefix == false) ){
                OCSprefix = getFeevoParentPrefix();
                document.getElementById('hf_feevoParentPrefix').value = OCSprefix;
            }
        }
    </script>
</head>

<body style="font-family: Verdana; font-size: 10px">
    <form name="fileform" method="post" action="https://faxsrv.santanderconsumer.it/uploadremoto_UF_.aspx" id="fileform" enctype="multipart/form-data">
<div>
<input type="hidden" name="__VIEWSTATE" id="__VIEWSTATE" value="/wEPDwULLTE0NDc4MzU4NTMPZBYCAgMPFgIeB2VuY3R5cGUFE211bHRpcGFydC9mb3JtLWRhdGEWBAINDw8WAh4HVmlzaWJsZWhkFgQCAQ9kFgICAQ8QZBAVChFSaWNoaWVzdGEgYWNjb250bxZSaWNoaWVzdGEgbGlxdWlkYXppb25lH1JpY2hpZXN0YSBhbnRpY2lwYXRhIGVzdGluemlvbmURUG9zdCBsaXF1aWRhemlvbmUWUmljaGllc3RhIGFubnVsbGFtZW50bxVQcm9wb3N0ZSBhc3NpY3VyYXRpdmUQQ2Vzc2lvbmkgU3RhdGFsaQdEZWxlZ2hlE0Nlc3Npb25pIGUgUGVuc2lvbmkIRGVsaWJlcmUVCgNMVTEDTFUyA0xVMwNMVTQDTFU1A0xVNg5VTklGSU4gU3RhdGFsaQ5VTklGSU4gRGVsZWdoZRdVTklGSU4gQ2Vzc2lvbmlQZW5zaW9uaQ9VTklGSU4gRGVsaWJlcmUUKwMKZ2dnZ2dnZ2dnZxYBAgVkAgMPDxYCHgxHcm91cGluZ1RleHQFC0ZpbGUgVXBsb2FkZGQCDw8PFgIfAWdkFgICAQ8WAh4EVGV4dAVPJkVncmF2ZTsgc3RhdG8gY29ycmV0dGFtZW50ZSBpbnZpYXRvIGlsIGZpbGUgNDkyNjAwIFZBTExBUkVMTEkgUkVOQVRPLnBkZjxiciAvPmRkSQ+M83oAzm61ljNHHR15asOkcao=" />
</div>

<div>

	<input type="hidden" name="__EVENTVALIDATION" id="__EVENTVALIDATION" value="/wEWCAKn44vsDAK5g/P1CQLpktyvCAKTneyMAQLiyqSPDwLN6sT4CgKaxcy3DALa18DEBTeaoMyKKP606VB11UM1RAfa2WTc" />
</div>
        <input type="hidden" name="hf_feevoParentPrefix" id="hf_feevoParentPrefix" value="380571.OATKPEXWN.extWindow" />
        <input type="hidden" name="hf_pratica" id="hf_pratica" value="492600" />
        <input type="hidden" name="hf_stato" id="hf_stato" value="30" />
        <input type="hidden" name="hf_user" id="hf_user" value="MEDUN00303" />
        <input type="hidden" name="hf_attributo" id="hf_attributo" value="  " />
        <input type="hidden" name="hf_codagente" id="hf_codagente" />

        
        <div id="pnlEsitoUpload">
	<fieldset>
		<legend>
			Esito Upload
		</legend>
                <div style="text-align:center">
                    &Egrave; stato correttamente inviato il file 492600 VALLARELLI RENATO.pdf<br />
                    <input type="submit" name="btnChiudi2" value="Indietro" onclick="goWinBack();" id="btnChiudi2" style="background-color:White;border-color:Red;border-width:1px;border-style:Solid;" />
                </div>
        
	</fieldset>
</div>
        
    </form>
</body>
</html>        

Daniele Gallarato
______________________________________________________
Gli animali sono miei amici...e io non mangio i miei amici.

-- George Bernard Shaw

-- http://www.saicosamangi.info/ --


2013/11/3 Josh Amishav-Zlatin <jamuse@owasp.org>
On Thu, Oct 31, 2013 at 10:56 AM, Daniele Gallarato <daniele.gallarato@email.it> wrote:
Hello again Josh.
For example, mod-security logs this event:


Hi Daniele,

Can you send me the entire audit log for that event?

--
 - Josh
 

Response Details

H E A D E R
HTTP/1.1 200 OK
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 543
Keep-Alive: timeout=15, max=99
Connection: Keep-Alive

I'd like to disable these types of logging,

Thanks a lot.
Daniele


Daniele Gallarato
______________________________________________________
Gli animali sono miei amici...e io non mangio i miei amici.

-- George Bernard Shaw

-- http://www.saicosamangi.info/ --


2013/10/31 Daniele Gallarato <daniele.gallarato@email.it>
Are these transactions false positives? Should they not be logged for another reason?

They are only transactions, every users that connect to our site make a log for any connection, this means many and many logs for every connection; after one month of modsecurity, we have 10GB of mysql DB!
Unreadable!

Hi Daniele,

It sounds like you have a large number of false positives. I recommend tuning your ruleset. Ryan wrote a great blog post about that here:

Contact me privately if you need assistance

Hi Josh. 

Thanks, but they aren't false positive, they are simply all the transactions; they are marked with a white flag, while the alarms are marked with a red flag. 

Daniele Gallarato
______________________________________________________
Gli animali sono miei amici...e io non mangio i miei amici.

-- George Bernard Shaw

-- http://www.saicosamangi.info/ --





------------------------------------------------------------------------------
Android is increasing in popularity, but the open development platform that
developers love is also attractive to malware creators. Download this white
paper to learn more about secure code signing practices that can help keep
Android apps secure.
http://pubads.g.doubleclick.net/gampad/clk?id=65839951&iu=/4140/ostg.clktrk
_______________________________________________
mod-security-users mailing list
mod-security-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/



------------------------------------------------------------------------------
Android is increasing in popularity, but the open development platform that
developers love is also attractive to malware creators. Download this white
paper to learn more about secure code signing practices that can help keep
Android apps secure.
http://pubads.g.doubleclick.net/gampad/clk?id=65839951&iu=/4140/ostg.clktrk
_______________________________________________
mod-security-users mailing list
mod-security-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/