Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SecAuditLogParts section identifiers are surprising #1089

Closed
stig opened this issue Mar 9, 2016 · 1 comment

Comments

Projects
None yet
2 participants
@stig
Copy link

commented Mar 9, 2016

It would be nice if the I directive resulted in a audit log section separator containing the letter I rather than C. I was attempting to stop the request body from going to the audit log, but was led on a wild goose chase due to the section identifier being C rather than I.

To be clear, the audit log contained a separator like this:

--c7036611-C--

despite our setting of:

SecAuditLogParts ABIJDEFHZ

I eventually realised that it was the I part that resulted in the C section identifier, but I think this is a clear violation of the principle of least surprise. I would instead have expected the section separator to be like the below:

--c7036611-I--

@zimmerle zimmerle self-assigned this Oct 31, 2018

@zimmerle

This comment has been minimized.

Copy link
Member

commented Oct 31, 2018

Hi @stig,

The information on different segments was documented here: https://github.com/SpiderLabs/ModSecurity/wiki/ModSecurity-2-Data-Formats#parts

As of version 3 we have the logging in a JSON format, those letters are not used any longer. For backwards compatibility we still have an option to use this old format. We are not thinking in changing it, to keep the compatibility.

@zimmerle zimmerle closed this Oct 31, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.