Re: [mod-security-users] nolog rule still logs
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] nolog rule still logs
|
From: Christian F. <chr...@ne...> - 2021-04-06 19:39:02
|
Hey Bren, This is what I mentioned in my message. Maybe I did not make myself very clear. However, this only accounts for the audit log and you said you also got error-log messages and I could not explain those. Best, Christian On Tue, Apr 06, 2021 at 07:24:49PM +0000, Bren via mod-security-users wrote: > ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ > > On Saturday, April 3rd, 2021 at 12:38 PM, Bren via mod-security-users <mod...@li...> wrote: > > > Even with nolog this rule still logs to the audit log and the Nginx error log. > > So I think I know what's going on. This rule isn't actually being logged despite "nolog". I think it's the 403 itself that's being logged due to the default: > > SecAuditLogRelevantStatus "^(?:5|4(?!04))" > > If I set it to: > > SecAuditLogRelevantStatus "^(?:5|4(?!04|03))" > > It stops logging the 403s being generated by my health check rule. The comment on this rule says: > > "Log the transactions that are marked by a rule, as well as those that trigger a server error..." > > So I think this is working as designed since my rule is triggering a server error. > > If I set my rule to "log" it still logs the rule match as expected showing the 403 response. OWASP CRS rule matches still get logged as well so I think this change will work for me. > > Bren > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ |
