Recipe 1-7: Logging Only Relevant Transactions
This recipe shows you how to configure ModSecurity to log only transactions that are deemed relevant from a security perspective.
Ingredients
- ModSecurity Reference Manual16
- SecRuleEngine directive
- SecAuditEngine directive
- SecAuditLog directive
- SecAuditLogType directive
- SecAuditLogParts directive
- SecAuditLogStorageDir directive
- SecRequestBodyAccess directive
- SecResponseBodyAccess directive
- SecAuditLogRelevantStatus directive
I strongly recommend that organizations use full HTTP audit logging, as described in Recipe 1-6. That being said, I understand that logging full HTTP transactional data may be infeasible for your web application. If you decide not to log all data, you can configure ModSecurity to log only what it determines to be relevant transactions. If you change the SecAuditEngine directive from On to RelevantOnly, ModSecurity creates an audit log entry under only two distinct scenarios:
- If there is a positive match from one of the SecRule directives
- If the web server responds with an HTTP status code as defined by a regular expression in the SecAuditLogRelevantStatus directive
Here is an updated audit logging configuration that uses only relevant logging:
SecRuleEngine DetectionOnly
SecRequestBodyAccess On
SecResponseBodyAccess On
SecAuditEngine RelevantOnly
SecAuditLogRelevantStatus "^(?:5|4(?!04))"
SecAuditLogParts ABCIFEHZ
SecAuditLog /usr/local/apache/logs/audit.log
SecAuditLogType SerialWith these configurations, ...
Get Web Application Defender's Cookbook now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
