Why is modsecurity logging 4xx and 5xx events? Follow

If modsecurity is configured with this directive:

SecAuditLogRelevantStatus "^(?:5|4(?!04))"

It will log all 4xx and 5xx events for apache (except 404 events, as in the example above). We recommend you do this, as apache will natively block some attacks, as well as other errors and basic authentication failures (401 errors and 500 errors for example) where modsecurity rules are both not necessary for these attacks (apache blocks them natively), and would never be triggered (because Apache will this block itself). For example, an invalid URI would be blocked natively by apache, and this may indicate certain types of attacks are in progress. 401 errors, authentication failed errors, are also blocked by Apache, and with this setting would be logged by modsecurity which can be used to determine if a brute force attack is in progress. 5xx errors may indicate that an application has failed, which could indicate that an attack is under way, or simply that an application or component is broken or failed to perform correctly.

These events will not include any information about a rule being triggered, because a rule will not have been triggered. Here is one example:

--12345678-A--
[1/Oct/2010:11:22:33 +0000] UKmVSQoAAGQAAEz2C2sAAAAB 1.2.3.4 12345 5.6.7.8 443
--12345678-B--
GET / HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)

--12345678-F--
HTTP/1.0 400 Bad Request
Vary: Accept-Encoding
Content-Length: 287
Connection: close
Content-Type: text/html; charset=iso-8859-1

--12345678-H--
Stopwatch: 12345678 12345678 (- - -)
Stopwatch2: 12345678 12345678; combined=620, p1=0, p2=0, p3=359, p4=240, p5=21, sr=0, sw=0, l=0, gc=0
WAF: ModSecurity for Apache/2.6.2 ( http://www.modsecurity.org/); 201001102010112233
Server: Apache/2.2.23

--40deca15-Z--

And another example:

[1/Jan/2012:00:00:01 --0500] EfNGXVABuRHcKw1OaUzOEQvAUohTaUJUCSoAADxB0CEAAAAJ 1.2.3.4 5.6.7.8 443
--2ad21831-B--
GET /foo HTTP/1.1
Host: hostname
User-Agent: Mozilla/5.0 
Accept-Language: en
Accept-Encoding: gzip, deflate
Cookie: some cookie
Connection: keep-alive

--2ad21831-F--
HTTP/1.1 401 Unauthorized
WWW-Authenticate: Basic realm="Web Application that uses htaccess and denied this authentication request"
Content-Length: 500
Connection: close
Content-Type: text/html; charset=iso-8859-1

--2ad21831-H--
Stopwatch: 12345678901232333 12345 (- - -)
Stopwatch2: 12345678901232333 12345; combined=200, p1=1, p2=0, p3=1, p4=1, p5=1, sr=0, sw=0, l=0, gc=0
Producer: ModSecurity for Apache/2.7.5 (http://www.modsecurity.org/).
Server: Apache
Engine-Mode: "ENABLED"

In the example above you will notice that no rule is listed in the H second. That is because no rule has been triggered. This event was logged only because of the SecAuditLogRelevantStatus configuration setting. Again, we recommend you log these events, as they can be indicators of other types of attacks that modsecurity will not be able to respond to, because Apache will natively respond to these events itself.

If you do not care about these events, simply remove that configuration directive. Please keep in mind that you will miss some attacks if you do this.