1. View ModSecurity Audit Log File.
- We need to first find the rules that are being triggered by ModSecurity on your webserver.
- Open the tail end of the ModSecurity log file called modsec_audit.log to view the last entries made to the log file.
- For Apache2 servers it is located in /var/log/apache2/
- Open the Terminal Window and enter :
sudo tail /var/log/apache2/modsec_audit.log --lines 60 | less
- The output should look similar to this screenshot below.
- Look for Access denied with code 403 and work backwards to find the start of the rule entry based on the log entry id.
- In this case the log entry ID is –00aee77f (see marked in yellow)
- Find the GET item – in this example it is /modern-classic (see marked in blue)
- Find the ModSecurity rule that was triggered by the GET – in this example the rule id 958291 (see marked in purple)