Top 100 ModSecurity Exceptions and Security Auditing Plugins for Apache in Highly Competitive Technical Niches
Leveraging ModSecurity for E-commerce Security: Beyond the Basics
In the hyper-competitive e-commerce landscape, robust security isn’t a luxury; it’s a fundamental requirement. ModSecurity, the open-source Web Application Firewall (WAF), is a cornerstone for protecting Apache-based e-commerce platforms. While its default rulesets offer a baseline, true security requires a nuanced approach: understanding common false positives, implementing precise exceptions, and integrating advanced auditing for continuous threat intelligence. This post dives into practical strategies for tuning ModSecurity, focusing on the specific needs of high-traffic, technically demanding e-commerce environments.
Common E-commerce ModSecurity Exceptions: A Pragmatic Approach
False positives are the bane of any WAF administrator. In e-commerce, they can disrupt critical user flows, from checkout processes to personalized recommendations. Identifying and whitelisting legitimate traffic patterns is crucial. Below are common scenarios and their corresponding ModSecurity exception directives. These are best placed in a dedicated `modsecurity_local.conf` file or within your Apache virtual host configuration for clarity and maintainability.
1. AJAX Requests with Complex Data Structures
Many modern e-commerce frontends rely heavily on AJAX for dynamic content loading, search suggestions, and cart updates. These requests often involve complex JSON payloads or URL-encoded data that can trigger generic rules. For instance, a rule targeting SQL injection might flag legitimate, albeit unusual, character sequences within a product ID or search query parameter.
Example: Whitelisting AJAX Product Search
Consider a scenario where your search endpoint (`/api/search`) accepts a JSON payload containing a `query` parameter. A rule like `SecRule ARGS “@rx [^a-zA-Z0-9\s\-_]” “id:12345,phase:2,log,auditlog,deny,msg:’Potentially Malicious Search Query Characters'”` might be too aggressive. To exempt this specific request:
SecRule REQUEST_URI "@streq /api/search" "id:900001,phase:1,pass,nolog" SecRule REQUEST_HEADERS:Content-Type "@streq application/json" "id:900002,phase:1,pass,nolog" SecRule ARGS:query "@rx [^a-zA-Z0-9\s\-_]" "id:12345,phase:2,ctl:ruleRemoveById=12345,log,auditlog,deny,msg:'Potentially Malicious Search Query Characters'"
Explanation:
- `id:900001,phase:1,pass,nolog` and `id:900002,phase:1,pass,nolog`: These rules act as a bypass for subsequent rules targeting the specific request URI and Content-Type. They don’t log or deny, simply allowing the request to proceed to the next phase.
- `ctl:ruleRemoveById=12345`: This is the critical part. It tells ModSecurity to disable rule ID `12345` *only* for the current transaction that matched the preceding conditions (URI `/api/search` and `Content-Type: application/json`).
2. User-Generated Content with Rich Formatting
Product reviews, forum posts, and user profiles often allow HTML or Markdown. Rules designed to prevent XSS attacks can inadvertently block legitimate formatting tags like ``, ``, or even simple line breaks (`
`).
Example: Allowing Specific HTML Tags in Reviews
If your review submission endpoint is `/submit_review` and it accepts an `html_content` parameter, you might need to relax rules that block tags like `` or ``. Assuming rule ID `942100` is the culprit:
SecRule REQUEST_URI "@streq /submit_review" "id:900003,phase:1,pass,nolog" SecRule ARGS:html_content "@rx <script>" "id:942100,phase:2,log,auditlog,deny,msg:'XSS Script Tag Detected'" # Add exceptions for allowed tags SecRule REQUEST_URI "@streq /submit_review" "id:900004,phase:2,ctl:ruleRemoveById=942100,log,auditlog,pass" SecRule ARGS:html_content "@rx <strong>" "id:900005,phase:2,ctl:ruleRemoveById=942100,log,auditlog,pass" SecRule ARGS:html_content "@rx <em>" "id:900006,phase:2,ctl:ruleRemoveById=942100,log,auditlog,pass"
Explanation:
- The initial rule `id:942100` is the general XSS detection.
- Subsequent rules (`id:900004`, `id:900005`, `id:900006`) are specifically crafted to *remove* the `942100` block for transactions involving the `/submit_review` URI and arguments containing allowed HTML tags. The `pass` action ensures these specific exceptions are processed without further scrutiny by rule `942100`.
3. API Endpoints with Specific Parameter Formats
E-commerce platforms often expose APIs for internal services, partner integrations, or mobile apps. These APIs might use unconventional parameter names or formats that trigger generic security rules. For example, a parameter like `_csrf_token` might be flagged by rules looking for suspicious double-underscores.
Example: Whitelisting API Token Parameter
If your API endpoint `/api/v1/products` uses a parameter named `_internal_auth_key` which contains a long, complex string, and rule ID `950001` flags it:
SecRule REQUEST_URI "@streq /api/v1/products" "id:900007,phase:1,pass,nolog"
SecRule ARGS:_internal_auth_key "@rx ^[a-zA-Z0-9\-_]{32,}$" "id:950001,phase:2,log,auditlog,deny,msg:'Suspicious Double Underscore in Argument Name'"
# Exception for the specific API endpoint and parameter
SecRule REQUEST_URI "@streq /api/v1/products" "id:900008,phase:2,ctl:ruleRemoveById=950001,log,auditlog,pass"
SecRule ARGS:_internal_auth_key "@rx ^[a-zA-Z0-9\-_]{32,}$" "id:900009,phase:2,ctl:ruleRemoveById=950001,log,auditlog,pass"
Explanation:
- Similar to previous examples, we identify the specific URI and parameter.
- The `ctl:ruleRemoveById=950001` directive is applied conditionally to exempt transactions matching the API endpoint and the specific parameter name, preventing rule `950001` from blocking legitimate API calls.
4. Third-Party Integrations and Payment Gateways
Integrating with external services like payment gateways (Stripe, PayPal), analytics providers, or CRM systems can introduce traffic patterns that ModSecurity might misinterpret. These often involve specific URL structures, query parameters, or POST data formats.
Example: Allowing Callback URLs from Payment Gateway
Suppose your payment gateway uses a callback URL like `/payment/success?txn_id=…&status=completed`. A rule targeting unusual query string parameters might block this. If rule ID `960005` is the issue:
SecRule REQUEST_URI "@beginsWith /payment/success" "id:900010,phase:1,pass,nolog" SecRule ARGS:status "@streq completed" "id:900005,phase:2,log,auditlog,deny,msg:'Invalid Payment Status'" # Exception for the payment gateway callback SecRule REQUEST_URI "@beginsWith /payment/success" "id:900011,phase:2,ctl:ruleRemoveById=900005,log,auditlog,pass" SecRule ARGS:status "@streq completed" "id:900012,phase:2,ctl:ruleRemoveById=900005,log,auditlog,pass"
Explanation:
- We use `@beginsWith` to match the callback URL pattern.
- The `ctl:ruleRemoveById=900005` directive is applied to disable the potentially problematic rule for these specific callback transactions.
5. Performance-Intensive Operations (e.g., Image Uploads)
File uploads, especially for product images or user-generated content, can involve large payloads and specific MIME types. Rules designed to detect malicious file uploads might sometimes flag legitimate, large image files.
Example: Exempting Large Image Uploads
If your upload endpoint is `/upload/product_image` and you allow JPEG/PNG files up to 10MB, and rule ID `920350` (e.g., `Filesize Limit`) is too restrictive:
SecRule REQUEST_URI "@streq /upload/product_image" "id:900013,phase:1,pass,nolog" SecRule FILES_CONTENT "@rx ^\xFF\xD8\xFF" "id:900014,phase:2,log,auditlog,pass,content-type:'image/jpeg'" SecRule FILES_CONTENT "@rx ^\x89PNG\x0D\x0A\x1A\x0A" "id:900015,phase:2,log,auditlog,pass,content-type:'image/png'" SecRule FILES_SIZE "@gt 10485760" "id:920350,phase:2,log,auditlog,deny,msg:'Uploaded file exceeds 10MB limit'" # Exception for specific upload type SecRule REQUEST_URI "@streq /upload/product_image" "id:900016,phase:2,ctl:ruleRemoveById=920350,log,auditlog,pass" SecRule FILES_CONTENT "@rx ^\xFF\xD8\xFF" "id:900017,phase:2,ctl:ruleRemoveById=920350,log,auditlog,pass" SecRule FILES_CONTENT "@rx ^\x89PNG\x0D\x0A\x1A\x0A" "id:900018,phase:2,ctl:ruleRemoveById=920350,log,auditlog,pass"
Explanation:
- We first identify legitimate image content using `FILES_CONTENT` and `content-type`.
- The problematic rule `920350` enforces a size limit.
- The exception rules (`id:900016` onwards) use `ctl:ruleRemoveById` to disable rule `920350` specifically for the `/upload/product_image` endpoint and for transactions identified as valid image uploads.
Advanced Security Auditing with ModSecurity Audit Logs
Beyond just blocking threats, ModSecurity’s audit logging provides invaluable insights into attack patterns and potential vulnerabilities. Effective auditing requires proper configuration and a strategy for log analysis.
1. Configuring Comprehensive Audit Logging
The `modsecurity.conf` file controls audit logging. Key directives include:
# Enable audit logging SecAuditEngine RelevantOnly #SecAuditEngine On # Define the log format (Concurrent is generally preferred for easier parsing) SecAuditLogFormat Concurrent # Specify the audit log file path SecAuditLog /var/log/apache2/modsec_audit.log # Define what parts of the transaction to log # Available parts: # Phase 1: Request Headers # Phase 2: Request Body # Phase 3: Response Headers # Phase 4: Response Body # Phase X: Transaction End # Available parts: # ARGS: Arguments (POST, GET, etc.) # ID: Transaction ID # REMOTE_ADDR: Client IP # REQUEST_HEADERS: Request Headers # REQUEST_BODY: Request Body # RESPONSE_HEADERS: Response Headers # RESPONSE_BODY: Response Body # RESPONSE_STATUS: HTTP Status Code # TX: Transaction Variables # Unique: Unique transaction ID # ALL: Log everything (use with caution) SecAuditLogParts ABIFCUXZ # SecAuditLogParts ABCDEFGINSTUXZ # Define the logging level for denied transactions SecAuditLogLevel 2 # 0: No audit logging # 1: Log only transactions that result in a denial. # 2: Log transactions that result in a denial and transactions that ModSecurity modifies. # 3: Log transactions that result in a denial, transactions that ModSecurity modifies, and transactions that trigger warnings. # 4: Log all transactions. # Define the logging level for non-denied transactions (use sparingly) # SecAuditLogRelevantStatus "^(2|3|4)00$" # Log 2xx, 3xx, 4xx responses # SecAuditLogRelevantStatus "^(5|4)0[0-9]$" # Log 4xx, 5xx responses # Define the logging level for all transactions (use with extreme caution on high-traffic sites) # SecAuditLogAllRelevantLogging On
Recommendation for E-commerce: Start with `SecAuditEngine RelevantOnly` and `SecAuditLogParts ABIFCUXZ` (Arguments, Body, ID, File, Client IP, Unique, XML data). Set `SecAuditLogLevel 2`. This captures essential details for denied transactions without overwhelming storage. Periodically review logs for legitimate traffic that was denied (false positives) and adjust rules accordingly.
2. Parsing and Analyzing Audit Logs
Raw audit logs can be verbose. Tools like `audit2allow` (part of the ModSecurity distribution) and dedicated log analysis platforms are essential.
Using `audit2allow` for Rule Generation
`audit2allow` reads audit logs and suggests ModSecurity rules to bypass specific triggers. This is invaluable for generating exceptions based on real-world blocked traffic.
# Filter the audit log for specific transaction IDs or messages grep "ModSecurity: Audit log: " /var/log/apache2/modsec_audit.log > /tmp/modsec_denials.log # Pipe the filtered log to audit2allow /usr/share/modsecurity-crs/audit2allow -w < /tmp/modsec_denials.log # To generate a rule file directly (use with caution, review output first) /usr/share/modsecurity-crs/audit2allow -a < /tmp/modsec_denials.log > /etc/apache2/mods-available/modsecurity_local.conf
Workflow:
- Monitor your `modsec_audit.log` for denied transactions.
- Use `audit2allow -w` to see suggested rules without applying them.
- If the suggestions look correct (i.e., they target legitimate traffic), use `audit2allow -a` to generate the rule and append it to your local configuration file.
- Reload Apache (`sudo systemctl reload apache2`).
- Monitor logs again to ensure the false positive is resolved and no new issues arise.
3. Integrating with SIEM/Log Management Platforms
For larger deployments, forwarding ModSecurity audit logs to a Security Information and Event Management (SIEM) system (e.g., Splunk, ELK Stack, Graylog) provides centralized visibility, correlation, and alerting.
Example: Forwarding Logs via Filebeat (ELK Stack)
Configure Filebeat to tail the ModSecurity audit log and send it to Logstash or directly to Elasticsearch.
# filebeat.yml
filebeat.inputs:
- type: log
enabled: true
paths:
- /var/log/apache2/modsec_audit.log
# Optional: Add multiline settings if logs span multiple lines (Concurrent format helps here)
# multiline.pattern: '^--'
# multiline.negate: true
# multiline.match: after
output.elasticsearch:
hosts: ["your-elasticsearch-host:9200"]
# Optional: Index name for ModSecurity logs
# index: "modsecurity-%{[agent.version]}-%{+yyyy.MM.dd}"
# Optional: Processors for parsing the log format
processors:
- dissect:
tokenizer.fields:
message: "%{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %{+SecAuditLogParts} %