1. Yes “force a hit” means I am sending traffic that should match a rule and cause a hit.
  2. I see rule messages in error_log
  3. I think that is what I am looking for.  The alternative would be to trigger a message in the log file for hits and misses?   Meaning it would log all traffic?
  4. Agreed, it is logged.  I can force it and see it, but if I login a little bit later, the log file will be either empty or only cover a very small span of time.

Comments inline below.

Ryan C. Barnett
ModSecurity Community Manager
Breach Security: Director of Training
Web Application Security Consortium (WASC) Member
CIS Apache Benchmark Project Lead
Author: Preventing Web Attacks with Apache

From: mod-security-users-bounces@lists.sourceforge.net [mailto:mod-security-users-bounces@lists.sourceforge.net] On Behalf Of Danny Shurett
Sent: Thursday, November 29, 2007 1:34 PM
To: mod-security-users@lists.sourceforge.net
Subject: [mod-security-users] Audit log keeps disappearing

I have a strange problem with my mod security implementation.  When I login to my server I usually see either an empty audit log or a severely diminished one.  For example, it is currently only about 4k and the entries are an hour old at the most.  Often I login and it is 0 bytes.  If I manually force a hit, I can see it written to the audit log.  
[Ryan Barnett] When you say “force a hit” do you mean that you send a request that triggers one of your rules or that you just make a normal request?
Also, I notice modsecurity stuff is being written to the error_log for apache.  
[Ryan Barnett] What stuff?  When Apache initially starts or other entries from your rules?
Here are some details:

Apache 2.2.6
Modsec 2.1.3
Apache uptime 23hrs

SecRuleEngine On SecDefaultAction "log,deny,phase:2,status:406,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase"

SecAuditEngine RelevantOnly
[Ryan Barnett] If you have this directive set to RelevantOnly, it will only log data to the auditlog in two scenarios – if the transaction triggered a rule or if Apache generated an HTTP status code that matches what you specified for SecAuditLogRelevantStatus - http://www.modsecurity.org/documentation/modsecurity-apache/2.1.3/modsecurity2-apache-reference.html#N102C0

SecAuditLog logs/modsec_audit.log
SecDebugLog logs/modsec_debug_log
SecDebugLogLevel 0
SecDefaultAction "phase:2,deny,log,status:406"
SecRule REMOTE_ADDR "^$" nolog,allow
Include "/usr/local/apache/conf/modsec2.user.conf"
SecDefaultAction "log,deny,phase:2,status:406,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase"

Sample rule

SecRule REQUEST_URI "!(/tiki-objectpermissions|aardvarkts/install/index|/do_command|banner_click|wp-login|tiki-view_cache|/horde/index|/horde/services/go|/goto|gallery2?/main|ad-?server/adjs)" "chain,id:300018,rev:3,severity:2,msg:'Generic PHP code injection protection via ARGS'"
SecRule REQUEST_URI "\.php(3|4|5)?(\?|&)" chain
SecRule ARGS "(ht|f)tps?:/"
SecRule REQUEST_URI "!(/tiki-objectpermissions|aardvarkts/install/index|/do_command|banner_click|wp-login|tiki-view_cache|/horde/index|/horde/services/go|/goto|gallery2?/main|ad-?server/adjs)" "chain,id:300040,rev:1,severity:2,msg:'Generic PHP code injection protection in URI'"
SecRule REQUEST_URI "\.php(3|4|5)?(\?|&).*=(ht|f)tps?:/"
[Ryan Barnett] So, if you send a request that triggers one of these 2 rules, it should be logged.