Re: [mod-security-users] Allow and Pass with logging issues

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Julian Frumar wrote:
> I am trying to implement mod security initially to audit all POSTED
> variables.
> 
> 
> In order to do this, all I really need is a filter rule that matches the
> POST request type, and logs, but allows the request.
> 
> 
> I am having touble getting this simple setup running in Mod_security 1.7.1.
> 
> It seems that the auditing and logging works when I deny the requests, but I
> cannot get anything to log with the 'pass', and 'allow' actions.
> 
> I am using apache 1.3.28, mod_security 1.7.1.
> 
> I have copied the rule off page 16 of the PDF manual:
> 
> ----------------------------------------------------
> pass
> Allow request to continue on filter match. This action is useful when you
> want to log a filter match
> but otherwise do not want to take action.
> 
> SecFilter KEYWORD "pass,log"
> ----------------------------------------------------
> 
> However, I receive no logging at all!
> 
> When I turn on debug logging, it says it is passing the match off to the
> audit engine, but I see nothing in the error_log of apache, or the audit_log
> of mod security.
> 
> Can anyone else replicate this behaviour?

   I can. It is a bug. Since I am releasing 1.7.2 tonight the bug
   fix will be included with the new version.

-- 
ModSecurity (http://www.modsecurity.org)
[ Open source IDS for Web applications ]