Re: [mod-security-users] nolog rule still logs
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] nolog rule still logs
|
From: Bren <umu...@pr...> - 2021-04-04 22:03:16
|
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ On Saturday, April 3rd, 2021 at 11:35 PM, Ehsan Mahdavi <ehs...@gm...> wrote: > try "id:1000,nolog,noauditlog,deny" I tried that and: id:1000,nolog,noauditlog,ctl:auditEngine=Off,deny >From this ticket: https://github.com/SpiderLabs/ModSecurity/issues/1217 And still this rule match gets logged. According to the documentation nolog should be enough (unless I'm misunderstanding) so I am not sure what's going on. The full conf is: # The stock recommended conf Include /etc/openresty/modsecurity/modsecurity.conf SecRule REQUEST_FILENAME "/waf_health_check" "id:1000,nolog,deny" This is what's getting logged: ---XlVYmBXD---A-- [04/Apr/2021:12:40:35 -0400] 161755443589.343274 127.0.0.1 4502 127.0.0.1 8504 ---XlVYmBXD---B-- HEAD /waf_health_check HTTP/1.0 content-length: 0 ---XlVYmBXD---D-- ---XlVYmBXD---F-- HTTP/1.0 403 ---XlVYmBXD---H-- ---XlVYmBXD---I-- ---XlVYmBXD---J-- ---XlVYmBXD---Z-- This is the only thing I've tried so far that stops this line from getting logged: SecAuditLogRelevantStatus "^(?:5|4(?!04|03))" But I want other 403s to be logged of course. |
