How to include ModSecurity request final action in the Apache access.log

Question

I'm currently using ModSecurity 2.7 and Apache 2.4.7 on Ubuntu Trusty.

I would like to use Apache's LogFormat and CustomLog directives so that I can include a field indicating whether ModSecurity decided to allow a request to proceed or whether it blocked a request.

I would also like to include a field indicating whether an allowed request did trigger any warning-only ModSecurity rules. I am not concerned whether this needs to be two different fields, or just one, as long as the information is present on each Apache log line.

There is documentation that suggests I can use mod_log_config and %{...}M syntax to include ModSecurity variables in the Apache log but I do not know which variables would give me the necessary information.

I am explicitly trying to maintain SecAuditEngine RelevantOnly and not require a full audit log for every request. I am also hoping to avoid the need to do cross-log correlation using mod_unique_id or similar.

Is this possible. How?

Answer 1

Try blocking with an unusual response status, then logging that in the log. For warnings, use HIGHEST_SEVERITY.

(via https://twitter.com/ivanristic/status/632098551603052544)

Answer 2

http://resources.infosecinstitute.com/analyzing-mod-security-logs/

SecAuditLogParts: Audit log is quite large as it logs everything about the request, like Request Header, Response Header, Request Body and Body Response, etc. So, through this option we can actually tell the Mod Security what should be logged in the error logs and what should be ignored. In order to do this, each part is assigned an alphabet. Here is the table in which every alphabet’s meaning is defined.