Re: [mod-security-users] How to disable modsecurity logging in apache logs?
Brought to you by:
victorhora,
zimmerletw
From: Padmaja V. <pad...@ya...> - 2011-06-23 15:51:25
|
That's correct. I want to see all sections(ABCIFHZ ) on modsec and not any modsec logs on apache error logs. here is my conf setting: # Serial audit log SecAuditEngine RelevantOnly SecAuditLogRelevantStatus ^2-5 SecAuditLogParts ABCIFHZ SecAuditLogType Serial SecAuditLog /logs//test/audit/modsec_audit.log and here are the rules I am using: # Log: Log everything except html, gif, js and css'es for now, but let it through (pass) SecRule SCRIPT_BASENAME "!\.html$" "chain,pass,auditlog" SecRule SCRIPT_BASENAME "!\.gif$" chain SecRule SCRIPT_BASENAME "!\.js$" chain SecRule SCRIPT_BASENAME "!\.css$" - Padmaja. ----- Original Message ---- From: Ryan Barnett <RBa...@tr...> To: Padmaja Vuyyuru <pad...@ya...>; matthew sporleder <msp...@gm...> Cc: "mod...@li..." <mod...@li...> Sent: Thu, June 23, 2011 10:36:20 AM Subject: Re: How to disable modsecurity logging in apache logs? I am still trying to understand your goals. Are you wanting to create audit log file for those requests but to not generate any alerts within the Apache error_log? -Ryan On 6/23/11 11:31 AM, "Padmaja Vuyyuru" <pad...@ya...> wrote: >That stopped logging in both apache error log and modsec audit log. We >want to >log to modsec audit log, but not in apache error logs. > >-Padmaja > > > >----- Original Message ---- >From: Ryan Barnett <RBa...@tr...> >To: Padmaja Vuyyuru <pad...@ya...>; matthew sporleder ><msp...@gm...> >Cc: "mod...@li..." ><mod...@li...> >Sent: Thu, June 23, 2011 10:02:41 AM >Subject: Re: How to disable modsecurity logging in apache logs? > >Ok, so you are just looking to create ModSecurity audit logs of the >transactions and not looking at generating alerts/events? What do you >have the SecAuditEngine set to? If it is the default of RelevantOnly then >it will only generate audit logs if the server responds with a relevant >HTTP status code or if a SecRule/SecAction rule matches. If this is the >case, then I would suggest you do the following - > >SecRule SCRIPT_BASENAME "!\.css$" >"phase:1,t:none,nolog,pass,ctl:auditEngine=On" >SecRule SCRIPT_BASENAME "^login\.jsp$" >"phase:1,t:none,nolog,pass,ctl:auditEngine=On" > > >These rules will not generate any alerts themselves but instead will use >the ctl action to force audit logging of the transaction. > >-Ryan > > > >On 6/23/11 10:45 AM, "Padmaja Vuyyuru" <pad...@ya...> wrote: > >>We are trying to log with couple of rules and also trying to implement >>GEO >>rules. >> >># Log: Log everything except html, gif, js and css'es for now, but let >>it >>through (pass) >> >>SecRule SCRIPT_BASENAME "!\.css$" >>SecRule SCRIPT_BASENAME "^login\.jsp$" "log" >> >> >> >>----- Original Message ---- >>From: Ryan Barnett <RBa...@tr...> >>To: Padmaja Vuyyuru <pad...@ya...>; matthew sporleder >><msp...@gm...> >>Cc: "mod...@li..." >><mod...@li...> >>Sent: Thu, June 23, 2011 9:34:29 AM >>Subject: Re: How to disable modsecurity logging in apache logs? >> >>What ruleset are you using? Looks like GotRoot. >> >> >>-Ryan >> >>On 6/23/11 10:28 AM, "Padmaja Vuyyuru" <pad...@ya...> wrote: >> >>>We configured Apache with modsecurity and mod security audit and debug >>>logs are >>>in seperate location than apache logs. We set up some rules and every >>>time when >>>we hit rule, it is logging in apache secure logs like shown below and >>>audit logs >>>in detail. We don't want this to log in apache error logs. How to >>>disable >>>this? >>>We tried to modify sslconf, httpd conf and modsec conf has loglevel 0. >>>Any help >>>is appriciated. >>>************************************************************************ >>>* >>>* >>>************************************ >>> >>>Apache error log >>> >>>[Thu Jun 23 09:19:00 2011] [error] [client 10.10.10.100] ModSecurity: >>>Warning. >>>Match of "rx \\\\.css$" against "SCRIPT_BASENAME" required. [file >>>"/tools/httpd/myinstance/conf/modsec.conf"] [line "46"] [hostname >>>"www.abctest.com"] [uri >>>"/global/images/template/widgets/tooltip/bgd_left.png"] [unique_id >>>"xDYKHgroWVAAABZ8SA4AAAAm"] >>> >>>Thanks, >>>Padmaja. >>> >>> >> >> >>This transmission may contain information that is privileged, >>confidential, >>and/or exempt from disclosure under applicable law. If you are not the >>intended >>recipient, you are hereby notified that any disclosure, copying, >>distribution, >>or use of the information contained herein (including any reliance >>thereon) is >>STRICTLY PROHIBITED. If you received this transmission in error, please >>immediately contact the sender and destroy the material in its entirety, >>whether >>in electronic or hard copy format. >> > > >This transmission may contain information that is privileged, >confidential, >and/or exempt from disclosure under applicable law. If you are not the >intended >recipient, you are hereby notified that any disclosure, copying, >distribution, >or use of the information contained herein (including any reliance >thereon) is >STRICTLY PROHIBITED. If you received this transmission in error, please >immediately contact the sender and destroy the material in its entirety, >whether > >in electronic or hard copy format. > > This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. |