Log format
Now, let's take a look at what an audit log entry looks like. The following entry was generated with the above configuration, and shows details relating to a denied request to access the URI /test on the server at www.bytelayer.com.
--5759e83f-A-- [27/Mar/2009:14:22:32 +0000] dqIu7V5MziQAAEpPAWwAAAAE 94.76.206.36 38037 94.76.206.36 80 --5759e83f-B-- GET /test HTTP/1.0 User-Agent: Wget/1.11.1 (Red Hat modified) Accept: */* Host: www.bytelayer.com Connection: Keep-Alive --5759e83f-F-- HTTP/1.1 403 Forbidden Content-Length: 275 Connection: close Content-Type: text/html; charset=iso-8859-1 --5759e83f-H-- Message: Access denied with code 403 (phase 2). Pattern match "test" at REQUEST_URI. [file "/etc/httpd/conf.d/mod_security.conf"] [line "34"] Action: Intercepted (phase 2) Stopwatch: 1238163752365805 926 (481 695 -) Producer: ModSecurity for Apache/2.5.7 (http://www.modsecurity.org/). Server: Apache/2.2.8 (Fedora) mod_jk/1.2.27 DAV/2 --5759e83f-Z--
Each log part starts with a separator...
