SecAuditLogRelevantStatus conf is not working？

[opsmeta]

Describe the bug

SecAuditLogRelevantStatus "^(?:5|4(?!04))" Already configured，But still record the logs of 2xx and 3xx status codes.

As shown in the figure:

Logs and dumps

Output of:

1. DebugLogs (level 9) 0
2. AuditLogs /tmp/modsec/audit.log
3. Error logs

Expected behavior

SecAuditLog and SecAuditLogStorageDir Only record logs for modsec 4xx and 5xx.

Server (please complete the following information):

• ModSecurity latest with nginx-connector latest 20250811 master
• WebServer: nginx version: openresty/1.21.4.4
• OS (and distro): CentOS Linux release 7.9.2009 (Core)

[airween]

@opsmeta,

Are you sure is this (the second image) your audit.log content? It looks more like error.log than audit.log to me.

[opsmeta]

，

您确定这张（第二张图片）是您audit.log内容吗？在我看来，它更像是error.log而不是audit.log。

YES, conf -> SecAuditLog /tmp/modsec/audit.log
The second image is /tmp/modsec/audit.log

[airween]

Could you upload a part of /tmp/modsec/audit.log?

[opsmeta]

Could you upload a part of /tmp/modsec/audit.log?
Sure, actually, the second image is /tmp/modsec/audit.log ==

172.16.1.10 16.162.192.3 - [11/Aug/2025:18:01:13 +0800] "GET /resource/dev/index.html?t=243736 HTTP/1.1" 304 0 - "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36 Edg/138.0.0.0" 175490647321.996545 - /tmp/modsec/audit//20250811/20250811-1801/20250811-180113-175490647321.996545 0 1966.000000 md5:82b2123558f139947fb0fcd04248928a
172.16.1.10 16.162.192.3 - [11/Aug/2025:18:01:13 +0800] "GET /v3/new/homepage/getResourcesInfo?domain=172.16.1.10 HTTP/1.1" 200 0 http://172.16.1.10/resource/dev/index.html?t=243736 "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36 Edg/138.0.0.0" 17549064736.000201 http://172.16.1.10/resource/dev/index.html?t=243736 /tmp/modsec/audit//20250811/20250811-1801/20250811-180113-17549064736.000201 0 1852.000000 md5:1629620383bc44b1359daa3fc1e6d4fc
172.16.1.10 16.162.192.3 - [11/Aug/2025:18:01:14 +0800] "GET /favicon.ico HTTP/1.1" 200 0 http://172.16.1.10/resource/dev/index.html?t=243736 "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36 Edg/138.0.0.0" 17549064745.110345 http://172.16.1.10/resource/dev/index.html?t=243736 /tmp/modsec/audit//20250811/20250811-1801/20250811-180114-17549064745.110345 0 1774.000000 md5:e461812845657644f7d5516e3ba05995
localhost 127.0.0.1 - [11/Aug/2025:18:08:55 +0800] "GET /?id=../../../../etc/passwd HTTP/1.1" 403 150 - "curl/7.29.0" 175490693524.489644 - /tmp/modsec/audit//20250811/20250811-1808/20250811-180855-175490693524.489644 0 5245.000000 md5:0119ffd5b7b3534fea00673c36c96cfc
localhost 127.0.0.1 - [11/Aug/2025:18:11:32 +0800] "GET /?id=../../../../etc/passwd HTTP/1.1" 403 150 - "curl/7.29.0" 175490709215.719816 - /tmp/modsec/audit//20250811/20250811-1811/20250811-181132-175490709215.719816 0 5245.000000 md5:2415952c2787e5c7b7a6daaaafa35224
172.16.1.10:80 196.251.86.50 - [11/Aug/2025:18:22:07 +0800] "GET / HTTP/1.0" 302 0 - "Mozilla/5.0 (X11; Linux x86_64; rv:140.0) Gecko/20100101 Firefox/140.0" 175490772778.596816 - /tmp/modsec/audit//20250811/20250811-1822/20250811-182207-175490772778.596816 0 1245.000000 md5:8d2ab26b652d9e5614459e25f58b4d08