Comments inline below.


Ryan C. Barnett
ModSecurity Community Manager

Breach Security: Director of Training

Web Application Security Consortium (WASC) Member

CIS Apache Benchmark Project Lead


Author: Preventing Web Attacks with Apache


From: [] On Behalf Of Danny Shurett
Sent: Thursday, November 29, 2007 1:34 PM
Subject: [mod-security-users] Audit log keeps disappearing


I have a strange problem with my mod security implementation.  When I login to my server I usually see either an empty audit log or a severely diminished one.  For example, it is currently only about 4k and the entries are an hour old at the most.  Often I login and it is 0 bytes.  If I manually force a hit, I can see it written to the audit log.  

[Ryan Barnett] When you say “force a hit” do you mean that you send a request that triggers one of your rules or that you just make a normal request?


Also, I notice modsecurity stuff is being written to the error_log for apache.  

[Ryan Barnett] What stuff?  When Apache initially starts or other entries from your rules?


Here are some details:

Apache 2.2.6
Modsec 2.1.3
Apache uptime 23hrs

SecRuleEngine On SecDefaultAction "log,deny,phase:2,status:406,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase"

SecAuditEngine RelevantOnly

[Ryan Barnett] If you have this directive set to RelevantOnly, it will only log data to the auditlog in two scenarios – if the transaction triggered a rule or if Apache generated an HTTP status code that matches what you specified for SecAuditLogRelevantStatus -

SecAuditLog logs/modsec_audit.log
SecDebugLog logs/modsec_debug_log
SecDebugLogLevel 0
SecDefaultAction "phase:2,deny,log,status:406"
SecRule REMOTE_ADDR "^$" nolog,allow
Include "/usr/local/apache/conf/modsec2.user.conf"
SecDefaultAction "log,deny,phase:2,status:406,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase"

Sample rule

SecRule REQUEST_URI "!(/tiki-objectpermissions|aardvarkts/install/index|/do_command|banner_click|wp-login|tiki-view_cache|/horde/index|/horde/services/go|/goto|gallery2?/main|ad-?server/adjs)" "chain,id:300018,rev:3,severity:2,msg:'Generic PHP code injection protection via ARGS'"
SecRule REQUEST_URI "\.php(3|4|5)?(\?|&)" chain
SecRule ARGS "(ht|f)tps?:/"
SecRule REQUEST_URI "!(/tiki-objectpermissions|aardvarkts/install/index|/do_command|banner_click|wp-login|tiki-view_cache|/horde/index|/horde/services/go|/goto|gallery2?/main|ad-?server/adjs)" "chain,id:300040,rev:1,severity:2,msg:'Generic PHP code injection protection in URI'"
SecRule REQUEST_URI "\.php(3|4|5)?(\?|&).*=(ht|f)tps?:/"

[Ryan Barnett] So, if you send a request that triggers one of these 2 rules, it should be logged.