1

I am currently running Apache 2.4.25 on Debian 9.8. I'm trying to set up mod_security to log POST request payloads for a specific URI. I have several API on a Debian server and I have to log all of them except 2. I tried to log only one URI for testing but it seems that the rules I tried doesn't work.

I started by following this question but it seems it doesn't work. Every calls are logged. Even if I comment the two SecRule lines, it still log every call.

My config :

 # On active le module.
SecRuleEngine On
SecAuditEngine On
# On lui donne un fichier de log.
SecAuditLog /var/log/httpd/website-audit.log
# On l'autorise à accéder au corps des requêtes.
SecRequestBodyAccess on
SecAuditLogParts ABCDEFGHIJZ

On configure une action par défaut.


SecDefaultAction "nolog,noauditlog,allow,phase:2"


On définit une règle qui nous permet de logger le contenu des requêtes POST


SecRule REQUEST_METHOD "^POST$" "chain,allow,phase:2,id:13"
SecRule REQUEST_URI "@streq /api/ICM/SendMessage" "auditlog"

What am I doing incorrectly?

Thanks a lot.

Christopher H
  • 388
Sylvain Lefevre
  • 11

1 Answers1

0

I think this is what you're looking for:

SecRule REQUEST_METHOD "!@streq POST" "allow,phase:1,id:13,ctl:auditEngine=Off"

Please note for the reference:

If the SecAuditEngine is set to On, all of the transactions will be logged. If it is set to RelevantOnly, then you can control the logging with the noauditlog action.

So, this would be the another solution.

The noauditlog action affects only the current rule. If you prevent audit logging in one rule only, a match in another rule will still cause audit logging to take place. If you want to prevent audit logging from taking place, regardless of whether any rule matches, use ctl:auditEngine=Off.

But IMHO the ctl action above is more clear.

airween
  • 245