I'm trying to set up mod_security to log POST requests payload for a specific URI, as it seems that a customers webpage is used as a spam relay and these requests corrupt the server side cache.
I started by following this blog post but it seems rather old and outdated. It's not working with our environment which is Apache 2.4 and mod_security 2.8. So I enhanced that config by this serverfault answer.
Inside the relevant vhost config mod_security is configured like this:
<IfModule security2_module>
SecRuleEngine On
SecAuditEngine RelevantOnly
SecAuditLog logs/audit.log
SecRequestBodyAccess On
SecAuditLogParts ABCFHJKZ
SecDefaultAction "phase:2,nolog,noauditlog,pass"
SecRule REQUEST_METHOD "^POST$" "id:'1234',phase:2,chain,allow,ctl:auditEngine=On"
SecRule REQUEST_URI "^\/en\/us\/$"
</IfModule>
The result is that every POST request is logged into audit log. But only the POST request to the homepage https://<SITE>/en/us/
should be logged. In my understanding this should be done by chaining to the second SecRule which matches the request URI against the given regex. I also tried different versions of the regex without success.