In mod-security2, I want to disable logging for some specific rule-ids (the most frequent false positives from default rules).
I want to keep the rules active for anomaly-scoring, but just turn off logging for some.
How do I do that?
You can use SecRuleUpdateActionById to achieve this.
For example if you have this:
SecRule ARGS attack "phase:2,id:12345,log,pass"
SecRuleUpdateActionById 12345 "pass"
Then you will remove logging. Note this will completely replace the action part of the rule (except the phase and the id), so you will need to copy all the actions of the original rule to SecRuleUpdateActionById. Not sure how sustainable this is in the long term as if you ever update the rules to new version you will need to check none of the actions have changed.
To be honest, noisy logs, is one of the main reasons I don't like anomaly scoring method - I prefer rules to only fire if they mean something so I use standard blocking mode and just disable these noisy rules completely if they frequently give false positives.