I copied the following portion of my httpd.conf from one server (which is logging just fine) to my new server. The problem is that mod_security seems to be logging every request rather than only the filtered errors.

I noticed that on my "old" server, every log entry contains a mod_security-message that explains the error. On the "new" server, there are entries for every request and only seven have that mod_security-message. Any ideas why the same config would log differently?


<IfModule mod_security.c>
SecFilterEngine On
SecFilterCheckURLEncoding On
SecFilterForceByteRange 32 126
SecFilterScanPOST On
SecFilterDefaultAction "deny,status:406"

SecAuditEngine On
SecAuditLog /var/log/httpd/modsec_log

# Prevent OS-specific keywords
SecFilter /etc/passwd

# Prevent path traversal (..) attacks
SecFilter "\.\./"

# Prevent XSS attacks (HTML/Javascript)
SecFilter "<(.|\n)+>"

# Prevent Nmap version scan
SecFilterSelective THE_REQUEST "^(HELP|default|\||TNMP|DmdT|\$"
</IfModule>

Sorry, I found the issue...

SecAuditEngine RelevantOnly (rather than "SecAuditEngine On")

Something very odd is happening (or not happening) with Apache mod_security...

With "SecAuditEngine On", I'm able to use phpMyAdmin with now errors and mod_security logs everything.

With "SecAuditEngine RelevantOnly", I'm getting denied and redirected to a 406 error for some of the phpMyAdmin links and nothing is getting logged.

I'm not concerned about phpMyAdmin but rather the issue between everything/nothing getting logged. Does anyone see a problem in the settings above? These settings were copied from a server that is working just fine. Needless to say, I'm confused.