mod_security - SecAuditLogRelevantStatus just not working

santrix

Well-Known Member
Nov 30, 2008
229
3
68
I know this isn't really a cpanel issue, but I'm wondering if it is related to the flag I'm trying to use, not being recognised by the version of mod_security installed via easyapache...

We are running apache 2.2, and compiled in mod_security using EA.

I have these lines (in amongst other stuff) in /usr/local/apache/conf/modsec2.conf

Code:
SecAuditEngine RelevantOnly
SecAuditLogRelevantStatus "^(?:5|3|4(?!04))"
SecAuditLog logs/modsec_audit.log 
SecDefaultAction "phase:2,deny,log,status:406"
The regex (which I understand needs to be within quotes) should only allow status codes starting with 3, 4, or 5 and exclude 404 specifically (I'm not sure why the backreferences need to be excluded in the regex)

The problem is that the modsec_audit.log file is being filled up with HTTP/1.1 200 OK entries as though the regex wasn't there. I have tried to fix this on and off for months... anyone got any clues?

The SecAuditEngine and SecAuditLogRelevantStatus directoves are not included anywhere else in the modsec conf files...