diff --git a/src/lib/caddy.ts b/src/lib/caddy.ts
index 38c6afaf..c90f127a 100644
--- a/src/lib/caddy.ts
+++ b/src/lib/caddy.ts
@@ -838,7 +838,7 @@ function buildWafHandler(waf: WafSettings): Record<string, unknown> {
       'Include @owasp_crs/*.conf',
     ] : []),
     `SecRuleEngine ${waf.mode}`,
-    'SecAuditEngine On',
+    'SecAuditEngine RelevantOnly',
     'SecAuditLog /logs/waf-audit.log',
     'SecAuditLogFormat JSON',
     'SecAuditLogParts ABIJDEFHZ',
diff --git a/src/lib/waf-log-parser.ts b/src/lib/waf-log-parser.ts
index 10bd60fa..12652dde 100644
--- a/src/lib/waf-log-parser.ts
+++ b/src/lib/waf-log-parser.ts
@@ -107,7 +107,10 @@ function parseLine(line: string): typeof wafEvents.$inferInsert | null {
   const hostArr = req.headers?.['host'] ?? req.headers?.['Host'];
   const host = Array.isArray(hostArr) ? (hostArr[0] ?? '') : (hostArr ?? '');
 
-  const firstMsg = entry.messages?.[0];
+  // Only store events where at least one rule matched
+  if (!entry.messages?.length) return null;
+
+  const firstMsg = entry.messages[0];
   const ruleId = firstMsg?.data?.id != null ? Number(firstMsg.data.id) : null;
   const ruleMessage = firstMsg?.data?.msg ?? null;
   const severity = firstMsg?.data?.severity ?? null;