My modsec_audit.log has multiple "Message" lines, so the tracking tab never shows me the blocked actions, as it only searches for it in the first Message entry. Any idea if I need to change my modsecurity config to make it work?
Sample:
--07b0a65c-H--
Message: [file "/etc/httpd/owasp-modsecurity-crs-3.0/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "68"] [id "942100"] [rev "1"] [msg "SQL Injection Attack Detected via libinjection"] [data "Matched Data: n)on foun
d within ARGS:Password: xxxxxxx"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "1"] [accuracy "8"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "OWASP_CRS/W
EB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"] Warning. detected SQLi using libinjection with fingerprint 'n)on'
Message: [file "/etc/httpd/owasp-modsecurity-crs-3.0/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "57"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [tag "application-mul
ti"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score.
Message: [file "/etc/httpd/owasp-modsecurity-crs-3.0/rules/RESPONSE-980-CORRELATION.conf"] [line "73"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=5,XSS=0,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=
0,SESS=0): SQL Injection Attack Detected via libinjection"] [tag "event-correlation"] Warning. Operator GE matched 5 at TX:inbound_anomaly_score.
Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client %s] ModSecurity: %s%s [uri "%s"]%s
Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client %s] ModSecurity: %s%s [uri "%s"]%s
Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client %s] ModSecurity: %s%s [uri "%s"]%s
Action: Intercepted (phase 2)
Apache-Handler: proxy-server
Stopwatch: 1492672332302715 14987 (- - -)
Stopwatch2: 1492672332302715 14987; combined=13508, p1=560, p2=12780, p3=0, p4=0, p5=167, sr=70, sw=1, l=0, gc=0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.9.1 (http://www.modsecurity.org/); OWASP_CRS/3.0.0.
Server: Apache
Engine-Mode: "ENABLED"
... View more