Chapter 4. Audit Logging
If you are under attack, it is very important to get a picture of what your attacker is trying to do. Is he using a pre-packaged script to try to get into your server? Is it just a bot hammering away using known exploit code? Or is someone attempting to hack in by using handcrafted SQL injection requests via a proxy server in a foreign country?
Perusing logs of ModSecurity alerts on a regular basis is important to see what kind of exploits are being tried against your server—in some cases you may find that there's a new vulnerability out there that you need to patch against simply by paying some attention to the generated log data.
The standard Apache log does not give much more information than the time and date of a request, and the first line of the request (that is you'll see what resource the GET or POST was made to, but not much more than that). ModSecurity introduces audit logging, which gives you the ability to log much more detailed information about the requests...
