Mod_Security - Get 401 Errors Out of Relevant Status Logs!

Congrats, you're on your way to hard core security with mod_security! But now you're audit log is filling up faster than a North Dakota Bear at a Golden Coral (Sorry, Brian) with general errors that DO NOT trigger any mod_sec rules.

Normally, out of the box, you'll have mod_security's SecAuditEngine rules set like so:

SecAuditEngine RelevantOnly
SecAuditLogRelevantStatus "^(?:5|4(?!04)"
SecAuditLogParts ABIJDEFHZ
SecAuditLogType Serial
SecAuditLog "|bin/rotatelogs.exe -l -f f:/logs/%Y-%m-%d-modsec-audit.log 86400"

Or ... something close to that. Let's break down the REGEX on the line for SecAuditLogRelevantStatus:

?:5 -- Log anything that is a 500 level error, e.g., 500 Internal Server Error or the lovely 503 Service Unavailable. 


4(?!04) -- Log any 400 level error EXCEPT for any 404 errors.

I'm all for the 500 level errors being logged as those should never happen, but for my modsec_audit log I'm FILLING up with about a million 401's that I could care less about. Apache is going to grab these anyway in a much more compressed format, so I don't need to also see these in my modsec log. So, to fix that (and if you're a REGEX noob like me) just modify that 4(?!04) line to read:

 "^(?:5|4(?!04|01)"

By adding that "|01" to the end, we're just saying any 404 OR 401's, which, Apache is going to grab for you anyway. 

Hope that clears up your mod_sec logs!!