ModSecurity logs to the Windows event log with Event ID 0 instead of -1

[sarvasana]

Below is an example of a message logged by ModSecurity on Windows. To my knowledge, when the EventId is unknown, the event should be logged with EventId set to -1 (minus 1). This would probably prevent the EventId 0 cannot be found message from being logged with every message.

Example:

The description for Event ID 0 from source ModSecurity cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.

If the event originated on another computer, the display information had to be saved with the event.

The following information was included with the event:

real message being logged

[zimmerle]

References about EventID:

• RegisterEventSource function: http://msdn.microsoft.com/en-us/library/windows/desktop/aa363678(v=vs.85).aspx
• Message Files: http://msdn.microsoft.com/en-us/library/windows/desktop/aa363669(v=vs.85).aspx
• Event Sources: http://msdn.microsoft.com/en-us/library/windows/desktop/aa363661(v=vs.85).aspx
• Error Message Guidelines: http://msdn.microsoft.com/en-us/library/windows/desktop/ms679325(v=vs.85).aspx
• Event Identifiers: http://msdn.microsoft.com/en-us/library/windows/desktop/aa363651(v=vs.85).aspx
• ReportEvent function: http://msdn.microsoft.com/en-us/library/windows/desktop/aa363679(v=vs.85).aspx

[zimmerle]

ModSecurity's call on the ReportEvent function:

• https://github.com/SpiderLabs/ModSecurity/blob/master/iis/mymodule.cpp#L1311-L1314

[zimmerle]

Fixed by #d4c2b96

[haruntmkr]

Hi,

I got same error but i didn't understand your fixing.
Could you tell me how i can fix this error?
Thanks your answer.

[zimmerle]

This was fixed in the code. Which version of ModSecurity are you running?

[haruntmkr]

i tried ModSecurity IIS_2.8.0-64bit and ModSecurity IIS_2.9.1-64b