mod-security-users

[mod-security-users] auditlog and noauditlog

[<fo...@po...>]

Hi there,

I work with a small mod_security ruleset. It's a big help when
debugging web applications.

The audit log is configured as follows:

SecFilterScanOutput   On
SecAuditLogType       Concurrent
SecAuditLogStorageDir /logs/weblogs/apache/myservice/audit_data/
SecAuditLog           /logs/weblogs/apache/myservice/audit_index.log
SecAuditLogParts      ABCDEFGHZ
SecFilterSelective    REQUEST_URI   "^/heartbeat.html"  noauditlog,pass

I want to avoid logging the loadbalancer's heartbeat request every five
second (and in  a different setup, i want the audit log to concentrate
on
a single arbitrary IP address).

Now the thing i do not understand is, that i get what i expected
in audit_index.log, but the storage dir fills up with the heartbeat
requests
nevertheless.

Is there something i missed in the documentation?

best regards,

Christian Folini

Re: [mod-security-users] auditlog and noauditlog

[Ivan R. <iv...@we...>]

fo...@po... wrote:
> Hi there,
> 
> I work with a small mod_security ruleset. It's a big help when
> debugging web applications.
> 
> The audit log is configured as follows:
> 
> SecFilterScanOutput   On
> SecAuditLogType       Concurrent
> SecAuditLogStorageDir /logs/weblogs/apache/myservice/audit_data/
> SecAuditLog           /logs/weblogs/apache/myservice/audit_index.log
> SecAuditLogParts      ABCDEFGHZ
> SecFilterSelective    REQUEST_URI   "^/heartbeat.html"  noauditlog,pass
> 
> I want to avoid logging the loadbalancer's heartbeat request every five
> second (and in  a different setup, i want the audit log to concentrate
> on
> a single arbitrary IP address).
> 
> Now the thing i do not understand is, that i get what i expected
> in audit_index.log, but the storage dir fills up with the heartbeat
> requests
> nevertheless.
> 
> Is there something i missed in the documentation?

  No, but you are probably running 1.9.1 or earlier. From
  http://www.modsecurity.org/documentation/known-issues-1.9.x.html:

  "Fixed a bug in the concurrent audit logging code where partial audit
   log entry files were being created for all requests."

-- 
Ivan Ristic, Technical Director
Thinking Stone, http://www.thinkingstone.com
ModSecurity: Open source Web Application Firewall
Apache Security (O'Reilly): http://www.apachesecurity.net