Hello Jeremy,

Yes. Looks like a bug for me. Looks like very old bug, just checked the code since 2.5.x.
I will check it tomorrow (later here) and send you a patch for testing.

Thanks

Breno


On Tue, Feb 5, 2013 at 6:46 PM, Jeremy Brock <jbrock@xtremeservices.net> wrote:
Hi all,

    I have recently deployed modsecurity 2.7.2 and have come across a strange behavior.

    I have defined the SecAuditLogRelevantStatus to only be 500 and 400 responses, however I am still getting all responses.

    Attached is an example of the audit log output that is sent to Auditconsole.  Notice that there is a Response 200 listed.

    I have also attached the Detail results that show the main rule message that was triggered.

    Here are my modsecurity.conf settings

# Settings for mlogc remote logging
SecAuditEngine RelevantOnly
SecAuditLogRelevantStatus "^(?:5|4\d[^4])"
SecAuditLogParts ABDEFHIJKZ

    When I enter apache2ctl restart I do not see any syntax errors.

    Hope you all have a great day,

~Jeremy

--
--

Jeremy Brock

XtremeServices.Net
Xtreme Services, LLC


------------------------------------------------------------------------------
Free Next-Gen Firewall Hardware Offer
Buy your Sophos next-gen firewall before the end March 2013
and get the hardware for free! Learn more.
http://p.sf.net/sfu/sophos-d2d-feb
_______________________________________________
mod-security-users mailing list
mod-security-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/