Enabling the audit log engine
The audit logging capabilities of ModSecurity are switched off by default. You can enable the audit log engine by placing a SecAuditEngine directive in the ModSecurity configuration file. Here are the possible values for SecAuditEngine:
SecAuditEngine OnEnables audit logging for all transactions
SecAuditEngine RelevantOnlyEnables audit logging only for transactions that match a rule, or that have a status code that matches the regular expression configured via
SecAuditLogRelevantStatus.SecAuditEngine OffDisables audit logging
In most cases you will probably want to use SecAuditEngine RelevantOnly to only log those transactions that are actually considered relevant—that is those that match a ModSecurity rule or have a relevant HTTP status code. Using the On parameter instead would enable logging for all transactions which can use up a lot of disk space as well as slow down the server if it is under heavy load.
The SecAuditLogRelevantStatus directive takes...
