Difference between revisions of "SecAuditLogParts"

From Atomicorp Wiki
Jump to: navigation, search
(Created page with "The following is a list of the elements of a request or response that can be logged. We do not recommend you change the defaults unless you know what you are doing. * A: Aud...")
 
m
Line 1: Line 1:
 
The following is a list of the elements of a request or response that can be logged.  We do not recommend you change the defaults unless you know what you are doing.
 
The following is a list of the elements of a request or response that can be logged.  We do not recommend you change the defaults unless you know what you are doing.
  
* A: Audit log header (This field is mandatory, it will always be logged).
+
== Request elements ==
 +
 
 +
 
 
* B: Request headers.
 
* B: Request headers.
 
* C: Request body.  Note: This information is present only if the request body exists and ModSecurity is configured to intercept it.  For rules that trigger off the request body, if SecAuditEngine RelevantOnly is set this header will be automatically logged.
 
* C: Request body.  Note: This information is present only if the request body exists and ModSecurity is configured to intercept it.  For rules that trigger off the request body, if SecAuditEngine RelevantOnly is set this header will be automatically logged.
 
* D: Reserved and not used yet.
 
* D: Reserved and not used yet.
 +
* I: Special Replacement for part C. It will log the same data as C in all cases '''except when multipart/form-data encoding in used'''. In that case, it will log a fake application/x-www-form-urlencoded body that contains the information about parameters but not about the files. This is handy if you don’t want to have files stored in your audit logs.
 +
* J: Contains information about the files uploaded using multipart/form-data encoding.
 +
 +
== Response elements ==
 +
 
* E: Intermediary response body.  Intermediary response body is the same as the actual response body unless ModSecurity intercepts the intermediary response body, in which case the actual response body will contain the error message (either the Apache default error message, or the ErrorDocument page).  ''Note: This information is only present only when ModSecurity is configured to intercept response bodies, and if the audit log engine is configured to record it.''  
 
* E: Intermediary response body.  Intermediary response body is the same as the actual response body unless ModSecurity intercepts the intermediary response body, in which case the actual response body will contain the error message (either the Apache default error message, or the ErrorDocument page).  ''Note: This information is only present only when ModSecurity is configured to intercept response bodies, and if the audit log engine is configured to record it.''  
 
* F: Final response headers (excluding the Date and Server headers).
 
* F: Final response headers (excluding the Date and Server headers).
 
* G: Reserved, and not used yet.
 
* G: Reserved, and not used yet.
 
* H: Audit log trailer.
 
* H: Audit log trailer.
* I: Special Replacement for part C. It will log the same data as C in all cases '''except when multipart/form-data encoding in used'''. In that case, it will log a fake application/x-www-form-urlencoded body that contains the information about parameters but not about the files. This is handy if you don’t want to have files stored in your audit logs.
+
 
* J: Contains information about the files uploaded using multipart/form-data encoding.
+
== Special elements ==
 +
 
 +
* A: Audit log header (This field is mandatory, it will always be logged).
 
* K: Contains a full list of every rule that matched (one per line) in the order they were matched. The rules are fully qualified and will thus show inherited actions and default operators. (We do not recommend you  
 
* K: Contains a full list of every rule that matched (one per line) in the order they were matched. The rules are fully qualified and will thus show inherited actions and default operators. (We do not recommend you  
 
* Z: Final boundary, signifies the end of the entry (This field is mandatory, and where available it will be logged.).
 
* Z: Final boundary, signifies the end of the entry (This field is mandatory, and where available it will be logged.).

Revision as of 16:55, 2 January 2014

The following is a list of the elements of a request or response that can be logged. We do not recommend you change the defaults unless you know what you are doing.

Request elements

  • B: Request headers.
  • C: Request body. Note: This information is present only if the request body exists and ModSecurity is configured to intercept it. For rules that trigger off the request body, if SecAuditEngine RelevantOnly is set this header will be automatically logged.
  • D: Reserved and not used yet.
  • I: Special Replacement for part C. It will log the same data as C in all cases except when multipart/form-data encoding in used. In that case, it will log a fake application/x-www-form-urlencoded body that contains the information about parameters but not about the files. This is handy if you don’t want to have files stored in your audit logs.
  • J: Contains information about the files uploaded using multipart/form-data encoding.

Response elements

  • E: Intermediary response body. Intermediary response body is the same as the actual response body unless ModSecurity intercepts the intermediary response body, in which case the actual response body will contain the error message (either the Apache default error message, or the ErrorDocument page). Note: This information is only present only when ModSecurity is configured to intercept response bodies, and if the audit log engine is configured to record it.
  • F: Final response headers (excluding the Date and Server headers).
  • G: Reserved, and not used yet.
  • H: Audit log trailer.

Special elements

  • A: Audit log header (This field is mandatory, it will always be logged).
  • K: Contains a full list of every rule that matched (one per line) in the order they were matched. The rules are fully qualified and will thus show inherited actions and default operators. (We do not recommend you
  • Z: Final boundary, signifies the end of the entry (This field is mandatory, and where available it will be logged.).
Personal tools