Why doesn't my mod_security catch / log anything?

Question

I installed mod_security on my Ubuntu GNU/Linux server but when I send some simple requests to the web server that should match even the simplest rules, I fail to see any alerts or any log files that were supposed to exist in /var/log/apache2. What am I missing?

Before proceeding further here's my system details:

$ apache2ctl -t -D DUMP_MODULES | grep secu
Syntax OK
 security2_module (shared)

$ sudo lsof | grep mod_security
apache2   12773        root  mem       REG      202,0   268828      50225 /usr/lib/apache2/modules/mod_security2.so
apache2   15287    www-data  mem       REG      202,0   268828      50225 /usr/lib/apache2/modules/mod_security2.so
apache2   15288    www-data  mem       REG      202,0   268828      50225 /usr/lib/apache2/modules/mod_security2.so
...

And here is the relevant part from my /etc/apache2/apache2.conf:

<IfModule mod_security2.c>
      # Basic configuration options
      SecRuleEngine On
      SecRequestBodyAccess On
      SecResponseBodyAccess Off

      # Handling of file uploads
      # TODO Choose a folder private to Apache.
      # SecUploadDir /opt/apache-frontend/tmp/
      SecUploadKeepFiles Off

      # Debug log
      SecDebugLog /var/log/apache2/modsec_debug.log
      SecDebugLogLevel 3

      # Serial audit log
      SecAuditEngine RelevantOnly
      SecAuditLogRelevantStatus ^5
      SecAuditLogParts ABIFHZ
      SecAuditLogType Serial
      SecAuditLog /var/log/apache2/modsec_audit.log

      # Maximum request body size we will
      # accept for buffering
      SecRequestBodyLimit 131072

      # Store up to 128 KB in memory 
      SecRequestBodyInMemoryLimit 131072
      # Buffer response bodies of up to # 512 KB in length 
      SecResponseBodyLimit 524288

      # Configure default blocking policy
      # see ModSecurity Handbook, p. 175
      #
      #SecDefaultAction "phase:1,log,auditlog,pass"

      Include /etc/apache2/modsecurity-crs_2.0.6/*.conf
      Include /etc/apache2/modsecurity-crs_2.0.6/base_rules/*.conf  

      SecFilter "/bin/"
      SecFilter "/cgi-bin" "deny,log,status:500"


      # By default log and deny suspicious requests
      # with HTTP status 500
      SecFilterDefaultAction "deny,log,status:500"
</IfModule>

So I expect that if I try to visit my web site and send a request that matches one of the filters I declared above using SecFilter or anything that matches the base rules, etc. then I should see something in those files:

/var/log/apache2/modsec_debug.log
/var/log/apache2/modsec_audit.log

right?

However those files do not exist no matter what I try:

http://www.myserver.com/cgi-bin
http://www.myserver.com/index.html?q=/cgi-bin
http://www.myserver.com/bin
http://www.myserver.com/index.html?q=/bin
http://www.myserver.com/index.html?q=/bin/

Why can't I see any modsec_debug.log or modsec_audit.log in /var/log/apache2 ? I also don't get status 500 from the server. All I can see from the requests above is a few entries in the error.log file in /var/log/apache2 stating that the files I requested were not found but no alerts produced by mod_security.

What am I missing?

Answer 1

Shame on me! I've put the mod-security config directives before (and not after) the:

# Include module configuration:
Include /etc/apache2/mods-enabled/*.load
Include /etc/apache2/mods-enabled/*.conf

so mod-security module was not loaded actually! Now that I placed the mod-security directives below them, mod-security is loaded and it logs to the relevant files. Problem solved.

Answer 2

touch /var/log/apache2/modsec_debug.log chown apache_user:apache_user /var/log/apache2/modsec_debug.log

SecAuditEngine RelevantOnly to SecAuditEngine On