0

I'm fiddling around with mod_security to log POST request payloads for a specific URI.

As stated in this response https://serverfault.com/a/729079/292993 to a similar question mod_security's AuditEngine works like that:

It will also log to AuditEngine depending on what your SecAuditEngine value is set to:

  1. If you have SecAuditEngine set to On then everything is logged to audit log and above rule is not needed. This fills up log files quickly so is not recommended.
  2. If you have SecAuditEngine set to RelevantOnly then it will only log to audit engine for certain return codes (as defined by your SecAuditLogRelevantStatus). This is typically only done for errors (5xx) or access denied (4xx - though usually without 404s). As you are not denying access (and presumably wouldn't want to!) this would not be logged to audit log.
  3. If SecAuditEngine is set to Off then it will never be logged to the audit log.

It's usually best to have SecAuditEngine set to RelevantOnly (which I suspect is what you have already). The correct way to do it is with that other rule you gave using ctl action:

SecRule REQUEST_METHOD "POST" "id:22222224,phase:2,ctl:auditEngine=On,log,pass"

This forces the AuditEngine to be on for post requests - even if the request succeeds which wouldn't normally be logged.

Keeping this in mind what's the point of the action auditlog if I have to work with ctl to turn AuditEngine on on request level to log something to the audit log?

Community
  • 1
ahaertig
  • 65
  • 1
  • 6

1 Answers1

1

I wrote that answer you've referenced and, after testing a bit after reading your question, I've realised it isn't accurate. Will update it.

After some experimentation I've found the following:

  • If SecAuditEngine is set to On, then auditlog will have no real effect as the request will be logged anyway.

  • If SecAuditEngine is set to Off, then auditlog will have no effect as the request will not be logged anyway.

  • If SecAuditEngine is set to RelevantOnly, then auditlog will cause the firing of the rule to be logged. Even if you do not deny access (that's the mistake in above answer that you quoted).

So what's the difference between auditlog and ctl:auditEngine=On? Well not much but I can see two main differences:

  1. Auditlog will not work when SecAuditEngine is set to off. Whereas ctl:auditEngine=On will work.

  2. ctl:auditEngine=On can be used to turn on auditing without showing the actual rule. For example if you have the following:

    SecRule REQUEST_METHOD "POST" "id:22222224,phase:2,ctl:auditEngine=On,nolog,pass"

    Then the request will be logged in the audit log but there will be no mention of rule 22222224 (as it's set to nolog). This may be useful or not: The presence of rule 22222224 may add confusion as there's no actual security issue with this rule (it's just used to turn on the AuditEngine), and perhaps you only want real security rules logged in the audit and error log. On the flipside it might confuse people why something is in the auditlog with no apparent rule firing to cause it to be put there.

Ultimately there's not a huge difference and more a matter of taste as to which you want to use.

Barry Pollard
  • 4,461
  • 14
  • 26