How to disable some logs? #3110
Comments
|
Hi @rahulthackkar, thanks for reporting this. Please take a look to Reference: parts The existence of part |
|
Hi @airween, Thanks for quick response, I know A and Z are mandatory, even after specifying only 'H' I want to disable whole log entry for above listed types which is no meaningful to me. How can I do that? |
|
What do you need the audit log for? In most use cases the error-log brings all you need to have and if you reduce the audit log to part |
Let me try to explain my concern to you . I have just enabled mod_security on my server which have 100s of websites. So what I am trying to figure out is, what my application really needs anyway, and what are actual vulnerabilities I should restrict to enter. For that reason , daily I need to observe logs for it, and One by one I am writing exclusions according to my application need. Keeping only H part serves both the concerns, keeping disk usage low, and I got triggered rule info too. Eventually I will turn on security engine once I covered all aspects, so for that I observed that , some of logs I don't need actually. Is there any way to disable such log entries? I was referring this : #329 |
|
This is at best a compile time flag and no config time flag. Also I have never seen it used. But again: Why do you run the audit log at all? If you are only interested in the alerts in the
(Well, plus a timestamp, but that's OK I guess.) |
|
Hello @dune73 can you explain me what this below log is for? --e5e05673-A-- --e5e05673-Z-- I am not able to understand it even. Also response body dechunked logs I want to avoid, so I can actually observe other logs those are actually triggered by vulnerability critical or warning |
|
If you do not understand the Stopwatch stuff, you should turn to the documentation (if you really want to know). As for the rest, it's pretty self-explanatory. |
|
I just want to disable some logs , is there any option? |
|
For example, client denied by server configuration, this error log is being logged in both files mod sec audit log and apache error log, before mod security it was already being logged into apache error log. |
|
You can disable the |
|
By disabling SecAuditEngine , it will disable whole audit log?
If yes then that is not I am looking for.
…On Mon, 25 Mar, 2024, 12:52 pm Christian Folini, ***@***.***> wrote:
You can disable the SecAuditEngine. In fact this is what I have been
trying to explain to you for several days now.
—
Reply to this email directly, view it on GitHub
<#3110 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AEALHM442FYUPMKHRB45ZJLYZ7GEFAVCNFSM6AAAAABFDF3L6KVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDAMJXGM3TENRZHE>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
Here you wrote:
There are three kind of logs:
So, what other log do you want to disable? |
|
in audit log, I want to disable some logs like response body dechunked,
apache error logs which are already being logged in apache's error log,
also logging in mod sec audit log, stopwatch logs.
…On Mon, 25 Mar, 2024, 7:42 pm Ervin Hegedus, ***@***.***> wrote:
By disabling SecAuditEngine , it will disable whole audit log? If yes then
that is not I am looking for.
Here
<#3110 (comment)>
you wrote:
I just want to disable some logs , is there any option?
There are three kind of logs:
- error.log - produced by HTTP server, you can turn of in server
config, or can modify the severity; please read the server documentation
- audit.log - see @dune73 <https://github.com/dune73>'s comments
- debug.log - that's disabled by default
So, what other log do you want to disable?
—
Reply to this email directly, view it on GitHub
<#3110 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AEALHM3CHK5HZ7TEDIYBB7LY2AWDTAVCNFSM6AAAAABFDF3L6KVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDAMJYGA4TMOJTGE>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
|
I'm out. |
|
Thanks @christian for your efforts, I think i am not able to convey it
properly what I am looking for.
…On Mon, 25 Mar, 2024, 8:18 pm Christian Folini, ***@***.***> wrote:
I'm out.
—
Reply to this email directly, view it on GitHub
<#3110 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AEALHM5XGQISLQCCB5YSFQLY2A2LRAVCNFSM6AAAAABFDF3L6KVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDAMJYGE3TMMZZGM>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
|
Can anyone help me to disable below audit log only, not whole audit log? --8b7f4f31-A-- --8b7f4f31-H-- --8b7f4f31-Z-- |
|
Maybe you should post an example of the desired audit log. Also: "log" or "logs" always means the entire log file or log type. You should use the term "item" or "record" for items within the audit log or withing an audit log part. |
|
I want to avoid whole entry by its type, not part(s) of one audit log.
…On Mon, 25 Mar, 2024, 8:40 pm Christian Folini, ***@***.***> wrote:
Maybe you should post an example of the desired audit log.
Also: "log" or "logs" always means the entire log file or log type. You
should use the term "item" or "record" for items within the audit log or
withing an audit log part.
—
Reply to this email directly, view it on GitHub
<#3110 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AEALHM3FVJOZFVIXWNRX4QDY2A453AVCNFSM6AAAAABFDF3L6KVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDAMJYGIZTANBZGU>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
A bit more concrete...? As @dune73 wrote: "Maybe you should post an example of the desired audit log." I still don't see the expected pattern. |
|
Sure let me try again. Below is one audit log entry in mod sec audit log I want to avoid, may be about response body transform dechunk event.
another log entry which typically involves only stopwatch is below --e5e05673-A-- --e5e05673-Z-- I also don't want above log entry in audit log. Is there any option in mod security to avoid specific log entries?? |
|
May be only those log entries which are actually triggered by rules only(like sql injection, xss attack, code injection) etc.. Hope this explains my concern enough. |
you mean remove some headers from an audit log part? No, I don't think if it is possible. And let me ask you something - in your official post, you asked:
You really want to reduce your log with remove specific lines...? |
|
Not headers only, above two log entries I shared with you previously, I
want to avoid such whole log entries.
…On Mon, 25 Mar, 2024, 10:47 pm Ervin Hegedus, ***@***.***> wrote:
Is there any option in mod security to avoid specific log entries??
you mean remove some headers from an audit log part?
No, I don't think if it is possible.
And let me ask you something - in your official post, you asked:
I just wanted to limit log file size by removing
You really want to reduce your log with remove specific lines...?
—
Reply to this email directly, view it on GitHub
<#3110 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AEALHM2KXKGC3NEGQ2QR6BLY2BL3LAVCNFSM6AAAAABFDF3L6KVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDAMJYGUYDSNBYGE>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
|
You can control conditionally the logparts runtime with See the examples on reference page, eg this one. |
|
I want to disable completely above log entries, I am not sure how I can
write condition for those? as they are not any rule triggered, they are
just showing that response body transform dechunked.
How can I do this?
…On Tue, 26 Mar, 2024, 12:34 am Ervin Hegedus, ***@***.***> wrote:
You can control conditionally the logparts runtime with ctl:auditLogParts
ctl action, eg:
SecRule YOUR_CONDITION \
"id:NNNNN,\
phase:N,\
t:none,\
nolog,\
pass,\
ctl:auditLogParts=-E"
See the examples on reference page, eg this one
<https://github.com/owasp-modsecurity/ModSecurity/wiki/Reference-Manual-(v2.x)#accuracy>
.
—
Reply to this email directly, view it on GitHub
<#3110 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AEALHMY7VD2KRBLTHB2VX23Y2BYLTAVCNFSM6AAAAABFDF3L6KVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDAMJYG4YDMNBUG4>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
you wrote above:
so you can copy the rule's condition or you can append the
As we explained above, YOU CAN'T. There is no way to remove lines from an audit log part. You can control only parts (except mandatory ones). |
|
Okay, Thanks. |
Hello Support,
I have installed mod security 2 in apache (ubuntu 22.04).
I just wanted to limit log file size by removing
I tried to find out configuration for this, but could not.
My Log parts are only 'H'
SecAuditLogParts H
Sample logs are below I want to avoid.
--e5e05673-A--
[22/Mar/2024:06:15:41.533563 +0000] Zf0iDb5-6jzuz1NaSnMeLwABUAw 93.86.97.137 60415 172.31.3.102 443
--e5e05673-H--
Apache-Handler: proxy:fcgi://maskeddomainname.com
Stopwatch: 1711088141472444 61130 (- - -)
Stopwatch2: 1711088141472444 61130; combined=651, p1=640, p2=0, p3=0, p4=0, p5=11, sr=119, sw=0, l=0, gc=0
Producer: ModSecurity for Apache/2.9.5 (http://www.modsecurity.org/); OWASP_CRS/3.3.2.
Server: Apache
--e5e05673-Z--
--62aff97c-A--
[22/Mar/2024:06:15:58.021859 +0000] Zf0iHqWEDu3IDZ7ZKiTwvAAAAQo 114.119.145.163 49191 172.31.0.20 443
--62aff97c-E--
--62aff97c-H--
Apache-Error: [file "mod_access_compat.c"] [line 350] [level 3] AH01797: client denied by server configuration: /home/maskeduser/public_html/a6-838
Stopwatch: 1711088158019766 2111 (- - -)
Stopwatch2: 1711088158019766 2111; combined=1298, p1=812, p2=0, p3=83, p4=197, p5=205, sr=136, sw=1, l=0, gc=0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.9.5 (http://www.modsecurity.org/); OWASP_CRS/3.3.2.
Server: Apache
Engine-Mode: "DETECTION_ONLY"
--62aff97c-Z--
--8b7f4f31-A--
[22/Mar/2024:11:49:34.742782 +0000] Zf1wTgL-oH_rxEQ3Oeq6JwAAAEc 185.234.216.114 56180 172.31.15.118 80
--8b7f4f31-E--
--8b7f4f31-H--
Apache-Handler: proxy:fcgi://maskeddomain.com
Stopwatch: 1711108174739077 3739 (- - -)
Stopwatch2: 1711108174739077 3739; combined=1566, p1=560, p2=681, p3=56, p4=129, p5=140, sr=104, sw=0, l=0, gc=0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.9.5 (http://www.modsecurity.org/); OWASP_CRS/3.3.2.
Server: Apache
Engine-Mode: "DETECTION_ONLY"
--8b7f4f31-Z--
Can you please help me with this?
The text was updated successfully, but these errors were encountered: