Windows Event Log

[dmarlow]

I'm curious how logs are controlled for ModSec. For example, is it possible to disable writing to the event log for anything that isn't an "error" in ModSec? Or maybe there are other logging options?

Reason I ask is that during load tests and vulnerability scans the event log can end up receiving a lot of warning messages and things slow down considerably (svchost.exe process starts to consume a lot of CPU writing to the event log).

[victorhora]

Hey @dmarlow,

Sorry for the delayed response. Please see my comments below:

I'm curious how logs are controlled for ModSec.

You basically have three types of logs: auditlog, log and debuglog.

You can tune the audit log by the SecAudit* related directives (e.g. SecAuditEngine ) and the same is also true for the debug log (see SecDebugLog).

But as far as I recall, there's no much tuning of the "plain" log other than customization of logdata and msg actions.

To simplify things, we can assume that the "plain" log action is the one that saves log data to Apache's error log.

On the IIS build, this "error" log is the only one one that gets pushed to the EventViewer. The other log types (Audit/Debug) will get saved to disk on their respective files as per the SecAuditLog and SecDebugLog.

For example, is it possible to disable writing to the event log for anything that isn't an "error" in ModSec? Or maybe there are other logging options?

Following the rationale above, it means that every ModSec rule that have the log action defined and that matches for a given transaction will get generate an entry on the EventViewer.

You can change this in many ways:

• Remove the log action from the rules;

• Add the nolog action to your rules;

• Use (or change) SecDefaultAction and either omit the log action (if present), or add the nolog action;

• Add a SecRuleUpdateActionById directive using the same rationale as above.

Bear in mind the following note from the Reference Manual: Although nolog implies noauditlog, you can override the former by using nolog,auditlog.

Reason I ask is that during load tests and vulnerability scans the event log can end up receiving a lot of warning messages and things slow down considerably (svchost.exe process starts to consume a lot of CPU writing to the event log).

The solutions proposed above should alleviate or eliminate this issue.

Good luck :)