From 5cd92fe669794304b04634d5a1e2d2e610e872eb Mon Sep 17 00:00:00 2001 From: fuomag9 <1580624+fuomag9@users.noreply.github.com> Date: Fri, 6 Mar 2026 16:28:20 +0100 Subject: [PATCH] revert SecAuditEngine to RelevantOnly to prevent log flooding SecAuditEngine On logs every request through the WAF regardless of whether any rules matched, causing massive disk I/O on busy hosts (e.g. during Docker image pushes). RelevantOnly still captures DetectionOnly hits because OWASP CRS rules include auditlog in their SecDefaultAction, so rule-matched transactions are marked for audit logging. Only truly clean requests (no rule match at all) are silently skipped. Co-Authored-By: Claude Sonnet 4.6 --- src/lib/caddy.ts | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/src/lib/caddy.ts b/src/lib/caddy.ts index cb5667aa..d05a5e38 100644 --- a/src/lib/caddy.ts +++ b/src/lib/caddy.ts @@ -852,9 +852,10 @@ function buildWafHandler(waf: WafSettings): Record { ...(waf.mode === 'DetectionOnly' ? [ 'SecAction "id:9998001,phase:1,nolog,pass,t:none,setvar:tx.inbound_anomaly_score_threshold=9999999,setvar:tx.outbound_anomaly_score_threshold=9999999"', ] : []), - // Log all transactions so DetectionOnly hits are captured and shown in WAF Events. - // Body parts are excluded (see SecAuditLogParts below) so large uploads don't bloat the log. - 'SecAuditEngine On', + // RelevantOnly logs transactions where a rule fired with the auditlog action (which all OWASP + // CRS rules include via SecDefaultAction), covering both blocked and DetectionOnly hits. + // Clean requests with no rule matches are silently skipped, avoiding massive log growth. + 'SecAuditEngine RelevantOnly', 'SecAuditLog /logs/waf-audit.log', 'SecAuditLogFormat JSON', // Omit request/response bodies (parts I, J, E) and intermediate response headers (D)