fix: revert SecAuditEngine to On — RelevantOnly suppresses WAF-blocked logs

Coraza's RelevantOnly mode does not write audit log entries for requests blocked by the WAF itself (403 responses), so the waf-log-parser had nothing to parse. Reverting to On so all transactions are logged, and relying on the parser-side messages[] filter to skip clean requests. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-04 02:29:06 +01:00
parent a2c6991abd
commit ab7fb70ee4
1 changed files with 1 additions and 1 deletions
@@ -838,7 +838,7 @@ function buildWafHandler(waf: WafSettings): Record<string, unknown> {
      'Include @owasp_crs/*.conf',
    ] : []),
    `SecRuleEngine ${waf.mode}`,
-    'SecAuditEngine RelevantOnly',
+    'SecAuditEngine On',
    'SecAuditLog /logs/waf-audit.log',
    'SecAuditLogFormat JSON',
    'SecAuditLogParts ABIJDEFHZ',