[Resolved] SecDebugLogLevel not working correctly

[innovot]

According to the documentation one should set:

• 1 - errors (intercepted requests) only.

for hits to be logged into Apache's error log but I have added SecDebugLogLevel 1 and nothing at all is being logged ?!?

If somebody is using LSWS with Apache configuration files, and are having hits logged, would they mind sharing their configuration please. Should add that rules are being processed as I do see entries like the following in audit.log:

Message: Detected , [Rule: 'RESPONSE_STATUS' '200'] [id "377360"] [msg "Atomicorp.com WAF Rules - Login Failure Detection: Wordpress Login Attempt Failure "] [severity "WARNING"] [MatchedString "200"]

 

[innovot]

Interestingly I do see some events being logged eg.

 ModSecurity: Access denied with code 403, [Rule: 'REQUEST_HEADERS:User-Agent' 'python-requests/'] [id "332039"] [msg "Atomicorp.com WAF Rules: Suspicious Unusual User Agent (python-requests).  Disable this rule if you use python-requests/. "]

so does Litespeed only log events that trigger a 403 error ? if that is the case is there any way to log a rule that hits but returns a 200 response code ? we use OSSEC to correlate and take proactive measures based on the alerts and without it logging all hits we are a little stuck.

 

[mistwang]

Please force reinstall to try latest build of 4.2.14, added error logging when a rule has been hit and SecDebugLogLevel is not 0.

 

[innovot]

Unfortunately that still does not appear to work after forcing a reinstall.

 

[mistwang]

Please try again, the updated package was not uploaded properly.

 

[innovot]

Hi George.

That is perfect and thank you so much for resolving so quickly.

[Wed Sep  3 19:24:22 2014] [error] [client 176.223.89.91] ModSecurity: Access denied with code -, [Rule: 'RESPONSE_STATUS' '200'] [id "377360"] [msg "Atomicorp.com WAF Rules - Login Failure Detection: Wordpress Login Attempt Failure "]