Re: [mod-security-users] auditlog and noauditlog

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

fo...@po... wrote:
> Hi there,
> 
> I work with a small mod_security ruleset. It's a big help when
> debugging web applications.
> 
> The audit log is configured as follows:
> 
> SecFilterScanOutput   On
> SecAuditLogType       Concurrent
> SecAuditLogStorageDir /logs/weblogs/apache/myservice/audit_data/
> SecAuditLog           /logs/weblogs/apache/myservice/audit_index.log
> SecAuditLogParts      ABCDEFGHZ
> SecFilterSelective    REQUEST_URI   "^/heartbeat.html"  noauditlog,pass
> 
> I want to avoid logging the loadbalancer's heartbeat request every five
> second (and in  a different setup, i want the audit log to concentrate
> on
> a single arbitrary IP address).
> 
> Now the thing i do not understand is, that i get what i expected
> in audit_index.log, but the storage dir fills up with the heartbeat
> requests
> nevertheless.
> 
> Is there something i missed in the documentation?

  No, but you are probably running 1.9.1 or earlier. From
  http://www.modsecurity.org/documentation/known-issues-1.9.x.html:

  "Fixed a bug in the concurrent audit logging code where partial audit
   log entry files were being created for all requests."

-- 
Ivan Ristic, Technical Director
Thinking Stone, http://www.thinkingstone.com
ModSecurity: Open source Web Application Firewall
Apache Security (O'Reilly): http://www.apachesecurity.net