Prevent Modsec_Audit.log filling up with HTTP 200 OK

Print Friendly

Modsec is an enormous benefit in terms of catching many of the security holes created by bad php programming in your user accounts. However, on a busy server, you will find that the majority of the audit log (and the bulk of the entries it dumps into mysql) will be for things that you really don’t want to see. These logs, particularly the MySQL table, can grow to gigabytes in size, so it’s something I like to keep in check.

Obviously, there ARE some attacks which may still result in a 200 response, and therefore won’t be logged, so be warned. However, this measure is easy to implement and remove at will. I suspect that if an attack managed to penetrate your server, regardless of it only triggering 200 responses, then the least of your worries is going to be looking through the modsec logs (if you have a server left at all!)

In the modsec2.conf file, usually found in /usr/local/apache/conf/modsec2.conf you need to make sure the following directives are in place. You will likely have many more directives in your conf file, but here I am just showing the ones you need to control the logging levels.

<IfModule mod_security2.c>
SecAuditEngine RelevantOnly
SecAuditLogRelevantStatus "^[345]"
</IfModule>

Basically¬†SecAuditEngine RelevantOnly tells us to only audit things that modsec deems relevant. The ^[345] is just a little regex that says “only match anything that starts with 3, 4 or 5” – so this would only log anything in the 300 – 599 range.

This can drastically reduce the amount of unwanted material in the log.

As always, do not test this in a production environment!

Tags: ,

No comments yet.

Leave a Reply

Bot test *