Re: [mod-security-users] Logging configuration Question
Brought to you by:
victorhora,
zimmerletw
From: Brian R. <Bri...@br...> - 2009-03-12 19:03:23
|
OSSEC junkie wrote: > I want to have different .conf files for my ModSecurity installation and > had a few questions regarding the logging. I know there are two > different log files, modsec_audit.log and modsec_debug.log. three, actually: debug, audit and apache error log > modsec_audit.log contains the full source/html of the page that an > attack request came through on and also the attack information. > Correct? modsec_debug.log just contains the relevant info of the attack Correct, if you configured it to contain the response (see SecAuditLogParts part 'E'). > with all the html info, correct? The debug log just contains internal info on what ModSecurity is up to. It is not required and not recommended to have set to a verbose level (above 3) in production. > If I wanted to have only a modsec_debug.log be generated from events, > would my configuration look like this? > *deny,log,status:501* > ** I think you are really wanting the apache error log here as that is what "log" refers to, not the debug log. The debug log is only controlled by SecDebugLogLevel. What you have above will go to *both* the logs as "log" enables "auditlog" as well. If you do not want the audit log, then: deny,log,noauditlog,status:501 > If I wanted both a modsec_debug.log and modsec_audit.log to be generated > from events, would my configuration looks like this? > *deny,log,auditlog,status:501* > ** This will log to error and audit logs, but you do not need the "auditlog" as that is the default if "log" is used. > I could always turn off the deny and allow the traffic to pass through > as a passive configuration but just wanted to be 100% sure I understand > the logging capabilities and configuration. > Thank you. > ** See also the relevant docs for log and auditlog: http://modsecurity.org/documentation/modsecurity-apache/2.5.9/modsecurity2-apache-reference.html#N117DC http://modsecurity.org/documentation/modsecurity-apache/2.5.9/modsecurity2-apache-reference.html#N115CD -B -- Brian Rectanus Breach Security |