Like this example http://www.modsecurity.org/blog/archives/2008/01/modsecurity_25.html

I guess you could pass and log with:

# Default set in the local config
SecDefaultAction "phase:2,pass,log,auditlog"

Kind regards,

2014-01-31 rewt rewt <rewt@linux-elite.org>:
Dear All,

I am trying to setup a "honeypot" like using modsecurity and iptables.
I am now able to live redirect connection (DNAT) of an attacker to an internal VHOST...
Now i would like to be able to log all trafic GET/POST to that VHOST.

is there a way to let everything pass for that VHOST but capure all in Audit logs  ?

WatchGuard Dimension instantly turns raw network data into actionable
security intelligence. It gives you real-time visual feedback on key
security issues and trends.  Skip the complicated setup - simply import
a virtual appliance and go from zero to informed in seconds.
mod-security-users mailing list
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: