SecAuditLogParts not working: mod_security keeps logging response body
I have set SecAuditLogParts in modsecurity.conf to just log ABFH, but the modsecurity audit log keeps logging -E- part (response body) which makes the audit log too big.
What can I do to disable response body logging?
Solution 1:
I imagine this is set in your rules. The OWASP CRS, for example, have this in a lot of them to explicitly log the body to whatever you have defined using SecAuditLogParts:
ctl:auditLogParts=+E
You can turn off body responses completely with the following, and then this won't be logged there:
SecResponseBodyAccess Off
On the one hand, this is to be recommended for a few reasons:
- Performance. Scanning response bodies takes time, and when most of the bodies will be static HTML this doesn't make much sense.
- There are issues with ModSecurity and GZIP responses (though there might be some progress on this apparently according to a recent thread on ModSecurity Users mail group. This is being tracked here: https://github.com/SpiderLabs/ModSecurity/issues/944)
- Fills up log files as you have discovered.
- Could lead to a lot of false alerts.
On the other hand though, scanning outbound bodies can be useful to identify information leaks (either source code leaks and/or database access breaches) and turning this off obviously stops that.
Best practice is to turn off SecResponseBodyAccess by default for static files, but then enable it for dynamic files generated by application, and whittle your rules down to reduce false alerts for those.
I also presume you have the following set to only log in Audit log when a rule blocks?
SecAuditEngine RelevantOnly