Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

SecAuditLogParts not working: mod_security keeps logging response body

See original GitHub issue

Describe the bug

A lot rules use:

ctl:auditLogParts=+E,\

This makes the log hard to read as response body is very lengthy. Would be useful to have at least one log without response body.

Could you please consider dropping ctl:auditLogParts=+E,\ to make SecAuditLogParts configurable?

Steps to reproduce

default:

SecAuditLogParts ABIJDEFHZ

change to:

SecAuditLogParts ABIJDFHZ

Expected behaviour

response body not logged

Actual behaviour

response body logged

Additional context

similar description https://github.com/SpiderLabs/ModSecurity/issues/819 (but probably not ModSecurity bug)

Your Environment

CRS version (e.g., v3.2.0): v3.2.0
Paranoia level setting: 1
ModSecurity version (e.g., 2.9.3): v1.0.1
Web Server and version (e.g., apache 2.4.41): nginx
Operating System and version: Debian

Issue Analytics

State:
Created 3 years ago
Comments:5 (4 by maintainers)

Top GitHub Comments

2reactions

airweencommented, Aug 17, 2020

Hi @adrelanos, thanks again your feedback.

We discussed this issue, and we think the ctl=auditLogParts=+E is important part of rule set, so we don’t plan to remove it.

1reaction

dune73commented, Aug 19, 2020

As a sidenote, I am currently writing a blogpost that is going to provide you with a way to get rid of this functionality (present in over 100 rules) for good. Give me a week or so to do this.