Concurrent logging
Concurrent logging logs the same information as serial logging—the difference is that each log entry is placed in a separate file. The following is a typical configuration to enable concurrent logging:
# Enable concurrent audit logging SecAuditEngine RelevantOnly SecAuditLogType concurrent SecAuditLogStorageDir /var/log/audit/ SecAuditLog logs/modsec_audit.log SecAuditLogParts ABCFHZ
With concurrent logging, the main audit log file acts as an index file, pointing to the individual log files.
ModSecurity will create a specific directory structure in which the individual log files are placed. The directory structure looks as follows:
/var/log/audit/ |-- 20090331 | |-- 20090331-1530 | | |-- 20090331-153030-Cei44F5MziQAAFKTAIcAAAAA | | |-- 20090331-153030-Cei5115MziQAAFKUAM0AAAAB | | |-- 20090331-153030-CgEmHV5MziQAAFKVAS0AAAAC | | |-- 20090331-153054-C1JA815MziQAAFKoBfIAAAAV | | `-- 20090331-153054-C1JIqV5MziQAAFKVAS4AAAAC | |-- 20090331-1531 | | |-- 20090331-153100-C6skpV5MziQAAFKUAM4AAAAB...