I copied the following portion of my httpd.conf from one server (which is logging just fine) to my new server. The problem is that mod_security seems to be logging every request rather than only the filtered errors.
I noticed that on my "old" server, every log entry contains a mod_security-message that explains the error. On the "new" server, there are entries for every request and only seven have that mod_security-message. Any ideas why the same config would log differently?
<IfModule mod_security.c>
SecFilterEngine On
SecFilterCheckURLEncoding On
SecFilterForceByteRange 32 126
SecFilterScanPOST On
SecFilterDefaultAction "deny,status:406"
SecAuditEngine On
SecAuditLog /var/log/httpd/modsec_log
# Prevent OS-specific keywords
SecFilter /etc/passwd
# Prevent path traversal (..) attacks
SecFilter "\.\./"
# Prevent XSS attacks (HTML/Javascript)
SecFilter "<(.|\n)+>"
# Prevent Nmap version scan
SecFilterSelective THE_REQUEST "^(HELP|default|\||TNMP|DmdT|\
$"
</IfModule>