How can I control what gets logged to the modsecurity log?

Controlling What Gets Logged to the ModSecurity Log

The following options control what gets logged to the modsecurity audit log:

SecAuditEngine - Configures the audit logging engine. Possible values are:

On - log all transactions by default.
Off - do not log transactions by default.
RelevantOnly - by default only log transactions that have triggered a warning or an error, or have a status code that is considered to be relevant (see SecAuditLogRelevantStatus).

SecAuditLogRelevantStatus - Configures which response status code is to be considered relevant for the purpose of audit logging. The parameter is a regular expression.

SecAuditLogParts - Configures what sections to log. The default is: ABCFHZ. Available audit log parts:

A – audit log header (mandatory)
B – request headers
C – request body (present only if the request body exists and ModSecurity is configured to intercept it)
D - RESERVED for intermediary response headers, not implemented yet.
E – intermediary response body (present only if ModSecurity is configured to intercept response bodies, and if the audit log engine is configured to record it). Intermediary response body is the same as the actual response body unless ModSecurity intercepts the intermediary response body, in which case the actual response body will contain the error message (either the Apache default error message, or the ErrorDocument page).
F – final response headers (excluding the Date and Server headers, which are always added by Apache in the late stage of content delivery).
G – RESERVED for the actual response body, not implemented yet.
H - audit log trailer
I - This part is a replacement for part C. It will log the same data as C in all cases except when multipart/form-data encoding in used. In this case it will log a fake application/x-www-form-urlencoded body that contains the information about parameters but not about the files. This is handy if you don't want to have (often large) files stored in your audit logs.
J - RESERVED. This part, when implemented, will contain information about the files uploaded using multipart/form-data encoding.
Z – final boundary, signifies the end of the entry (mandatory)

Example

To only log 5XX and 4XX status codes. Go to Tools & Settings -> Web Application Firewall (ModSecurity) -> Settings -> enter the code below in the Custom directives textarea:

SecAuditEngine RelevantOnly
SecAuditLogRelevantStatus "^(?:5|4)"
SecAuditLogParts ABIFHZ
SecAuditLogType Concurrent
SecAuditLogStorageDir /var/log/modsecurity/audit

Data Retention Period

Administrators can set the number of days to keep SecAutitLog records by going to Juggernaut Firewall -> Settings -> Database Maintenance -> Maintenance Settings -> Delete modsecurity logs after

Data Redention Period

 

  • modsecurity
  • 0 Users Found This Useful
Was this answer helpful?

Related Articles

How can I raise the open file limit for the login failure daemon?

The login failure daemon can crash if you are monitoring a lot of domains in Plesk and are...

How can I test to make sure that the OS has all the required kernel modules required for Juggernaut Firewall?

Test from the Juggernaut Extension You can run the firewall test by going to Juggernaut Firewall...

How can I adjust the attack triggers used by the login failure daemon?

To Adjust Login Failure Triggers Navigate to Juggernaut Firewall -> Settings -> Login...

Where are the configuration files for Juggernaut Firewall located?

Configuration files are located in the /etc/csf/ directory with the main firewall configuration...

How can I use Juggernaut Firewall to monitor a list of directories?

Enter the Directories You Want To Monitor Navigate to Juggernaut Firewall -> Settings ->...