I'm fiddling around with mod_security to log POST request payloads for a specific URI.
As stated in this response https://serverfault.com/a/729079/292993 to a similar question mod_security's AuditEngine works like that:
It will also log to AuditEngine depending on what your SecAuditEngine value is set to:
- If you have SecAuditEngine set to On then everything is logged to audit log and above rule is not needed. This fills up log files quickly so is not recommended.
- If you have SecAuditEngine set to RelevantOnly then it will only log to audit engine for certain return codes (as defined by your SecAuditLogRelevantStatus). This is typically only done for errors (5xx) or access denied (4xx - though usually without 404s). As you are not denying access (and presumably wouldn't want to!) this would not be logged to audit log.
- If SecAuditEngine is set to Off then it will never be logged to the audit log.
It's usually best to have SecAuditEngine set to RelevantOnly (which I suspect is what you have already). The correct way to do it is with that other rule you gave using ctl action:
SecRule REQUEST_METHOD "POST" "id:22222224,phase:2,ctl:auditEngine=On,log,pass"
This forces the AuditEngine to be on for post requests - even if the request succeeds which wouldn't normally be logged.
Keeping this in mind what's the point of the action auditlog
if I have to work with ctl
to turn AuditEngine on on request level to log something to the audit log?