da...@ez... wrote:
> Is there any way to set two different audit logs? Something like:
>
> SecAuditEngine On
> SecAuditLog logs/audit_log
>
> SecAuditEngine RelevantOnly
> SecAuditLog logs/relevant_log
>
> I want one log that shows everything and one that shows only what matched a
> filter. Is it possible? This would be a big help. If we had this and a
> client's site was hacked we would have full logging and could see exactly
> how it was done. Then we could create new filters to block such attacks and
> tell the client what scripts need to be secured. I really don't want to only
> have a log of everything because we need to see just what matched. We have
> to monitor this to make sure the rules we have setup are not creating
> problems for our clients. This would be almost impossible with one huge
> file.
No, you can't have two audit logs for the same content. (You can
have two audit logs for two applications/areas on the same web
server.)
However, what you can do, is log everything but have a script
that parses out the full audit log and separates the ones with
matches.
--
Ivan Ristic (http://www.modsecurity.org)
|
