What do you have SecAuditEngine set to? You should probably
go with
RelevantOnly for performance reasons. If you have this
directive set to
RelevantOnly, then check your SecAuditLogRelevantStatus
setting. The
default one in the Core Rules file will capture all 4xx and
5xx level
codes (which includes 404, which you don't want...). Update
the
directive to this -
SecAuditLogRelevantStatus "^(?:5|4d[^4])"
Which will exclude 404s from the audit log.
--
Ryan C. Barnett
ModSecurity Community Manager
Breach Security: Director of Application Security Training
Web Application Security Consortium (WASC) Member
Author: Preventing Web Attacks with Apache
--------------
Web Security Threat Report Webinar on May 9, 2007 (12 pm
EST)
Learn More About the Breach Webinar Series:
http://www.breach.
com/webinars.asp
--------------
> -----Original Message-----
> From: mod-security-users-bounces lists.sourceforge.net
[mailto:mod-
> security-users-bounceslists.sourceforge.net] On
Behalf Of Vince
Tingey
> Sent: Monday, April 02, 2007 4:49 PM
> To: mod-security-userslists.sourceforge.net
> Subject: [mod-security-users] Remove 404 Errors from
modsec_audit.log
>
> Hi Everyone!
>
> Another newb question here (probably going to see alot
from me in the
> future as I learn to use this wonderful tool).
>
> Is there anyway to remove apache 404 errors from the
mod security log
> (modsec_audit.log) so I can see just mod security
errors? I have a
> separate apache error log for each website and am happy
to see the 404
> errors there. I'm trying to create custom rules and
find it hard
> filtering through all the 404 errors (mostly generated
by old links
that
> web crawlers follow) to get to the ones that matter.
>
>
> --3801821a-A--
> [01/Apr/2007:04:08:20 --0700] H1s85IlSYSIAABAbGSAAAAAH
72.30.215.27
> 57048 137.82.97.34 80
> --3801821a-B--
> GET /robots.txt HTTP/1.0
> Host: www.ellislab.biotech.ubc.ca
> Accept: */*
> User-Agent: Mozilla/5.0 (compatible; Yahoo! Slurp;
> http://he
lp.yahoo.com/help/us/ysearch/slurp)
> Accept-Encoding: gzip, x-gzip
>
> --3801821a-F--
> HTTP/1.1 404 Not Found
> Content-Length: 331
> Connection: close
> Content-Type: text/html; charset=iso-8859-1
>
> --3801821a-H--
> Apache-Error: [file "core.c"] [line 3518]
[level 3] File does not
exist:
> /www/htdocs/www_ellislab/robots.txt
> Stopwatch: 1175425700805860 2746 (585 2100 -)
> Producer: ModSecurity v2.1.0 (Apache 2.x)
> Server: Apache 2
>
> --3801821a-Z--
>
>
> Thanks,
>
> --
>
> Vince Tingey | Michael Smith Laboratories
> IT Systems Coordinator | University of British
Columbia
> Tel: 604.822.8895 | #301 - 2185 East Mall
> www.msl.ubc.ca | Vancouver, BC, Canada, V6T
1Z4
>
>
>
------------------------------------------------------------
------------
-
> Take Surveys. Earn Cash. Influence the Future of IT
> Join SourceForge.net's Techsay panel and you'll get the
chance to
share
> your
> opinions on IT & business topics through brief
surveys-and earn cash
>
http://www.techsay.com/default.p
hp?page=join.php&p=sourceforge&CID=DEVDE
V
> _______________________________________________
> mod-security-users mailing list
> mod-security-userslists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/mod-
security-users
------------------------------------------------------------
-------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the
chance to share your
opinions on IT & business topics through brief
surveys-and earn cash
http://www.techsay.com/default.
php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
mod-security-users mailing list
mod-security-userslists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-
security-users
|
