I am using mod_security 2.6.8 with Apache 2.2.3 on CentOS 5.4. Basic authentication is setup for all requests. I would like to be able to capture username if request fails authentication, I am ab;e to catch the response status code 401 in phase 3 but I have no access to the username. In the audit log I see that the user name is getting logged in Apache-Error as part of trailer header:
Apache-Error: [file "/builddir/build/BUILD/httpd-2.2.3/modules/aaa/mod_auth_basic.c"] [line 265] [level 3] user pvolkov: authentication failure for "/escription/mypage.html": Password Mismatch
Stopwatch: 1363866444706410 1123 (- - -)
Producer: ModSecurity for Apache/2.5.10-dev2 (http://www.modsecurity.org/).
Server: Apache/2.2.3 (CentOS)
Is there a way to extract this message using rules?