From a2c6991abd56f6805029ff9d4b63a7e55c2b61e7 Mon Sep 17 00:00:00 2001 From: fuomag9 <1580624+fuomag9@users.noreply.github.com> Date: Wed, 4 Mar 2026 02:25:21 +0100 Subject: [PATCH] fix: only log WAF events where rules matched - Change SecAuditEngine from On to RelevantOnly so Coraza only writes audit log entries for transactions that triggered at least one rule. Previously all requests were logged regardless of matches. - Add parser-side guard to skip entries with empty messages array as belt-and-suspenders against any pre-existing clean entries in log. Co-Authored-By: Claude Sonnet 4.6 --- src/lib/caddy.ts | 2 +- src/lib/waf-log-parser.ts | 5 ++++- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/src/lib/caddy.ts b/src/lib/caddy.ts index 38c6afaf..c90f127a 100644 --- a/src/lib/caddy.ts +++ b/src/lib/caddy.ts @@ -838,7 +838,7 @@ function buildWafHandler(waf: WafSettings): Record { 'Include @owasp_crs/*.conf', ] : []), `SecRuleEngine ${waf.mode}`, - 'SecAuditEngine On', + 'SecAuditEngine RelevantOnly', 'SecAuditLog /logs/waf-audit.log', 'SecAuditLogFormat JSON', 'SecAuditLogParts ABIJDEFHZ', diff --git a/src/lib/waf-log-parser.ts b/src/lib/waf-log-parser.ts index 10bd60fa..12652dde 100644 --- a/src/lib/waf-log-parser.ts +++ b/src/lib/waf-log-parser.ts @@ -107,7 +107,10 @@ function parseLine(line: string): typeof wafEvents.$inferInsert | null { const hostArr = req.headers?.['host'] ?? req.headers?.['Host']; const host = Array.isArray(hostArr) ? (hostArr[0] ?? '') : (hostArr ?? ''); - const firstMsg = entry.messages?.[0]; + // Only store events where at least one rule matched + if (!entry.messages?.length) return null; + + const firstMsg = entry.messages[0]; const ruleId = firstMsg?.data?.id != null ? Number(firstMsg.data.id) : null; const ruleMessage = firstMsg?.data?.msg ?? null; const severity = firstMsg?.data?.severity ?? null;