From ab7fb70ee4c8f082a97a14d69226b725691b3714 Mon Sep 17 00:00:00 2001
From: fuomag9 <1580624+fuomag9@users.noreply.github.com>
Date: Wed, 4 Mar 2026 02:29:06 +0100
Subject: [PATCH] =?UTF-8?q?fix:=20revert=20SecAuditEngine=20to=20On=20?=
 =?UTF-8?q?=E2=80=94=20RelevantOnly=20suppresses=20WAF-blocked=20logs?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Coraza's RelevantOnly mode does not write audit log entries for requests
blocked by the WAF itself (403 responses), so the waf-log-parser had
nothing to parse. Reverting to On so all transactions are logged, and
relying on the parser-side messages[] filter to skip clean requests.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 src/lib/caddy.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/lib/caddy.ts b/src/lib/caddy.ts
index c90f127a..38c6afaf 100644
--- a/src/lib/caddy.ts
+++ b/src/lib/caddy.ts
@@ -838,7 +838,7 @@ function buildWafHandler(waf: WafSettings): Record<string, unknown> {
       'Include @owasp_crs/*.conf',
     ] : []),
     `SecRuleEngine ${waf.mode}`,
-    'SecAuditEngine RelevantOnly',
+    'SecAuditEngine On',
     'SecAuditLog /logs/waf-audit.log',
     'SecAuditLogFormat JSON',
     'SecAuditLogParts ABIJDEFHZ',