Hello Jeremy,

Looks like you need to set SecAction "...,noauditlog,..."

The reason is auditlog action is present by default in the rules. This will make the engine set the transaction as relevant and will "bypass" SecAuditLogRelevantStatus.

For example, inserting SecAction before the follow SecRule:

SecAuditEngine RelevantOnly
SecAuditLogRelevantStatus "403"
SecAuditLogParts ABDEFHIJKZ

SecAction "phase:2,id:1,noauditlog"
SecRule REQUEST_URI "index" "phase:2,id:2,deny"

Will log only status 403.

Thanks

Breno

On Tue, Feb 5, 2013 at 7:56 PM, Breno Silva <breno.silva@gmail.com> wrote:
Hello Jeremy,

Yes. Looks like a bug for me. Looks like very old bug, just checked the code since 2.5.x.
I will check it tomorrow (later here) and send you a patch for testing.

Thanks

Breno


On Tue, Feb 5, 2013 at 6:46 PM, Jeremy Brock <jbrock@xtremeservices.net> wrote:
Hi all,

    I have recently deployed modsecurity 2.7.2 and have come across a strange behavior.

    I have defined the SecAuditLogRelevantStatus to only be 500 and 400 responses, however I am still getting all responses.

    Attached is an example of the audit log output that is sent to Auditconsole.  Notice that there is a Response 200 listed.

    I have also attached the Detail results that show the main rule message that was triggered.

    Here are my modsecurity.conf settings

# Settings for mlogc remote logging
SecAuditEngine RelevantOnly
SecAuditLogRelevantStatus "^(?:5|4\d[^4])"
SecAuditLogParts ABDEFHIJKZ

    When I enter apache2ctl restart I do not see any syntax errors.

    Hope you all have a great day,

~Jeremy

--
--

Jeremy Brock

XtremeServices.Net
Xtreme Services, LLC


------------------------------------------------------------------------------
Free Next-Gen Firewall Hardware Offer
Buy your Sophos next-gen firewall before the end March 2013
and get the hardware for free! Learn more.
http://p.sf.net/sfu/sophos-d2d-feb
_______________________________________________
mod-security-users mailing list
mod-security-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/