From Atomicorp Wiki
The following is a list of the elements that modsecurity can log.
Note: We do not recommend you change the defaults unless you know what you are doing.
- B: Request headers.
- C: Request body. Note: This information is present only if the request body exists and ModSecurity is configured to intercept it. For rules that trigger off the request body, if SecAuditEngine RelevantOnly is set this header will be automatically logged.
- D: Reserved and not used yet.
- I: Special Replacement for part C. It will log the same data as C in all cases except when multipart/form-data encoding in used. In that case, it will log a fake application/x-www-form-urlencoded body that contains the information about parameters but not about the files. This is handy if you don’t want to have files stored in your audit logs.
- J: Contains information about the files uploaded using multipart/form-data encoding.
- E: Intermediary response body. Intermediary response body is the same as the actual response body unless ModSecurity intercepts the intermediary response body, in which case the actual response body will contain the error message (either the Apache default error message, or the ErrorDocument page). Note: This information is only present only when ModSecurity is configured to intercept response bodies, and if the audit log engine is configured to record it.
- F: Final response headers (excluding the Date and Server headers).
- G: Reserved, and not used yet.
- H: Audit log trailer.
- A: Audit log header (This field is mandatory, it will always be logged).
- K: Contains a full list of every rule that matched (one per line) in the order they were matched. The rules are fully qualified and will thus show inherited actions and default operators. (We do not recommend you
- Z: Final boundary, signifies the end of the entry (This field is mandatory.).