With modsecurity.conf as below all requests/responses are logged to audit_debug.log even though SecDefaultAction is explicitely set to nolog,noauditlog. Shouldn't audit_debug.log be just empty in such case?
modsecurity.conf:
SecRuleEngine On
SecDefaultAction "nolog,noauditlog,allow,phase:1"
SecRequestBodyAccess On
SecResponseBodyAccess On
SecTmpDir /tmp/
SecDataDir /tmp/
SecDebugLog /var/log/apache2/audit_debug.log
SecDebugLogLevel 9
SecDefaultAction "phase:2,allow,nolog,noauditlog"
SecAuditEngine On
SecAuditLogParts ABCFEZ
SecAuditLogType Serial
SecAuditLog /var/log/apache2/modsec_audit.log
audit_debug.log: [22/Jan/2015:15:09:13 +0000][10.11.134.19/sid#7f885e910578][rid#7f88541f30a0][/services/seinfo][4] Transaction context created (dcfg 7f885e9c8ae8). [22/Jan/2015:15:09:13 +0000][10.11.134.19/sid#7f885e910578][rid#7f88541f30a0][/services/seinfo][4] Starting phase REQUEST_HEADERS. [22/Jan/2015:15:09:13 +0000][10.11.134.19/sid#7f885e910578][rid#7f88541f30a0][/services/seinfo][4] Second phase starting (dcfg 7f885e9c8ae8). [22/Jan/2015:15:09:13 +0000][10.11.134.19/sid#7f885e910578][rid#7f88541f30a0][/services/seinfo][4] Input filter: This request does not have a body. [22/Jan/2015:15:09:13 +0000][10.11.134.19/sid#7f885e910578][rid#7f88541f30a0][/services/seinfo][4] Starting phase REQUEST_BODY. [22/Jan/2015:15:09:13 +0000][10.11.134.19/sid#7f885e910578][rid#7f88541f30a0][/services/seinfo][4] Hook insert_filter: Adding output filter (r 7f88541f30a0). [22/Jan/2015:15:09:15 +0000][10.11.134.19/sid#7f885e910578][rid#7f88541f30a0][/services/seinfo][9] Output filter: Receiving output (f 7f88541f4e20, r 7f88541f30a0). [22/Jan/2015:15:09:15 +0000][10.11.134.19/sid#7f885e910578][rid#7f88541f30a0][/services/seinfo][4] Starting phase RESPONSE_HEADERS. [22/Jan/2015:15:09:15 +0000][10.11.134.19/sid#7f885e910578][rid#7f88541f30a0][/services/seinfo][4] Output filter: Not buffering response body for unconfigured MIME type "text/xml". [22/Jan/2015:15:09:15 +0000][10.11.134.19/sid#7f885e910578][rid#7f88541f30a0][/services/seinfo][9] Content Injection: Not enabled. [22/Jan/2015:15:09:15 +0000][10.11.134.19/sid#7f885e910578][rid#7f88541f30a0][/services/seinfo][9] Output filter: Sending input brigade directly. [22/Jan/2015:15:09:15 +0000][10.11.134.19/sid#7f885e910578][rid#7f88541f30a0][/services/seinfo][9] Output filter: Receiving output (f 7f88541f4e20, r 7f88541f30a0). [22/Jan/2015:15:09:15 +0000][10.11.134.19/sid#7f885e910578][rid#7f88541f30a0][/services/seinfo][4] Output filter: Completed receiving response body (non-buffering). [22/Jan/2015:15:09:15 +0000][10.11.134.19/sid#7f885e910578][rid#7f88541f30a0][/services/seinfo][4] Starting phase RESPONSE_BODY. [22/Jan/2015:15:09:15 +0000][10.11.134.19/sid#7f885e910578][rid#7f88541f30a0][/services/seinfo][4] Output filter: Output forwarding complete. [22/Jan/2015:15:09:15 +0000][10.11.134.19/sid#7f885e910578][rid#7f88541f30a0][/services/seinfo][9] Output filter: Sending input brigade directly. [22/Jan/2015:15:09:15 +0000][10.11.134.19/sid#7f885e910578][rid#7f88541f30a0][/services/seinfo][4] Initialising logging. [22/Jan/2015:15:09:15 +0000][10.11.134.19/sid#7f885e910578][rid#7f88541f30a0][/services/seinfo][4] Starting phase LOGGING. [22/Jan/2015:15:09:15 +0000][10.11.134.19/sid#7f885e910578][rid#7f88541f30a0][/services/seinfo][4] Recording persistent data took 0 microseconds. [22/Jan/2015:15:09:15 +0000][10.11.134.19/sid#7f885e910578][rid#7f88541f30a0][/services/seinfo][4] Audit log: Logging this transaction.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Hello,
With modsecurity.conf as below all requests/responses are logged to audit_debug.log even though SecDefaultAction is explicitely set to nolog,noauditlog. Shouldn't audit_debug.log be just empty in such case?
modsecurity.conf:
SecRuleEngine On
SecDefaultAction "nolog,noauditlog,allow,phase:1"
SecRequestBodyAccess On
SecResponseBodyAccess On
SecTmpDir /tmp/
SecDataDir /tmp/
SecDebugLog /var/log/apache2/audit_debug.log
SecDebugLogLevel 9
SecDefaultAction "phase:2,allow,nolog,noauditlog"
SecAuditEngine On
SecAuditLogParts ABCFEZ
SecAuditLogType Serial
SecAuditLog /var/log/apache2/modsec_audit.log
audit_debug.log:
[22/Jan/2015:15:09:13 +0000] [10.11.134.19/sid#7f885e910578][rid#7f88541f30a0][/services/seinfo][4] Transaction context created (dcfg 7f885e9c8ae8).
[22/Jan/2015:15:09:13 +0000] [10.11.134.19/sid#7f885e910578][rid#7f88541f30a0][/services/seinfo][4] Starting phase REQUEST_HEADERS.
[22/Jan/2015:15:09:13 +0000] [10.11.134.19/sid#7f885e910578][rid#7f88541f30a0][/services/seinfo][4] Second phase starting (dcfg 7f885e9c8ae8).
[22/Jan/2015:15:09:13 +0000] [10.11.134.19/sid#7f885e910578][rid#7f88541f30a0][/services/seinfo][4] Input filter: This request does not have a body.
[22/Jan/2015:15:09:13 +0000] [10.11.134.19/sid#7f885e910578][rid#7f88541f30a0][/services/seinfo][4] Starting phase REQUEST_BODY.
[22/Jan/2015:15:09:13 +0000] [10.11.134.19/sid#7f885e910578][rid#7f88541f30a0][/services/seinfo][4] Hook insert_filter: Adding output filter (r 7f88541f30a0).
[22/Jan/2015:15:09:15 +0000] [10.11.134.19/sid#7f885e910578][rid#7f88541f30a0][/services/seinfo][9] Output filter: Receiving output (f 7f88541f4e20, r 7f88541f30a0).
[22/Jan/2015:15:09:15 +0000] [10.11.134.19/sid#7f885e910578][rid#7f88541f30a0][/services/seinfo][4] Starting phase RESPONSE_HEADERS.
[22/Jan/2015:15:09:15 +0000] [10.11.134.19/sid#7f885e910578][rid#7f88541f30a0][/services/seinfo][4] Output filter: Not buffering response body for unconfigured MIME type "text/xml".
[22/Jan/2015:15:09:15 +0000] [10.11.134.19/sid#7f885e910578][rid#7f88541f30a0][/services/seinfo][9] Content Injection: Not enabled.
[22/Jan/2015:15:09:15 +0000] [10.11.134.19/sid#7f885e910578][rid#7f88541f30a0][/services/seinfo][9] Output filter: Sending input brigade directly.
[22/Jan/2015:15:09:15 +0000] [10.11.134.19/sid#7f885e910578][rid#7f88541f30a0][/services/seinfo][9] Output filter: Receiving output (f 7f88541f4e20, r 7f88541f30a0).
[22/Jan/2015:15:09:15 +0000] [10.11.134.19/sid#7f885e910578][rid#7f88541f30a0][/services/seinfo][4] Output filter: Completed receiving response body (non-buffering).
[22/Jan/2015:15:09:15 +0000] [10.11.134.19/sid#7f885e910578][rid#7f88541f30a0][/services/seinfo][4] Starting phase RESPONSE_BODY.
[22/Jan/2015:15:09:15 +0000] [10.11.134.19/sid#7f885e910578][rid#7f88541f30a0][/services/seinfo][4] Output filter: Output forwarding complete.
[22/Jan/2015:15:09:15 +0000] [10.11.134.19/sid#7f885e910578][rid#7f88541f30a0][/services/seinfo][9] Output filter: Sending input brigade directly.
[22/Jan/2015:15:09:15 +0000] [10.11.134.19/sid#7f885e910578][rid#7f88541f30a0][/services/seinfo][4] Initialising logging.
[22/Jan/2015:15:09:15 +0000] [10.11.134.19/sid#7f885e910578][rid#7f88541f30a0][/services/seinfo][4] Starting phase LOGGING.
[22/Jan/2015:15:09:15 +0000] [10.11.134.19/sid#7f885e910578][rid#7f88541f30a0][/services/seinfo][4] Recording persistent data took 0 microseconds.
[22/Jan/2015:15:09:15 +0000] [10.11.134.19/sid#7f885e910578][rid#7f88541f30a0][/services/seinfo][4] Audit log: Logging this transaction.