Re: [mod-security-users] ModSecurity + IIS - Disabling Event Logging
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] ModSecurity + IIS - Disabling Event Logging
|
From: Osama E. <oel...@gm...> - 2019-04-21 01:10:43
|
Found that only Error logs + health info is sent to the Event Logs so disabling error logs solved it (nolog). That’s also why they weren’t sanitized. Thanks. -- Osama Elnaggar On April 19, 2019 at 10:25:21 PM, Osama Elnaggar (oel...@gm...) wrote: Hi, When running ModSecurity on IIS, I was wondering if there was any way to disable event logging for audit logs. Is there some option to disable this? I would prefer that only health-related data be sent to the Event Log such as if ModSecurity failed to start, etc. while normal audit logs be sent to a file that I can then forward to my SIEM. I’m able to send audit logs to another file but they are still mirrored to the event log as well. Also, from my limited testing, it appears that arguments are not sanitized when sent to the Windows Event Log which is a concern. The normal audit log (modsec_audit.log) sanitizes them properly but not the event log. Is this a known issue? Thanks. -- Osama Elnaggar |
