[prelude-user] modsecurity 2 log format

[Fest Jean-Sébastien]

Hello,
i use mod_security 2 and prelude-lml fail to handle this logs. Pcre
rules are for modsecutity 1.8 and the v2 add (id 3108 ) dont match with
parts.

the log format is : 

--d7a49f7c-A--
[16/Nov/2007:15:06:01 +0100] THOk-lEZwkAAABQwVKcAAAAv xxx.xxx.xxx.xxx
54576 xxx.xxx.xxx.xxx 80
--d7a49f7c-B--
GET /root.exe HTTP/1.1
Host: xxxxxxxxxxxxxxxxxxx
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.8)
Gecko/20061201 Firefox/2.0.0.8 (Ubuntu-feisty)
Accept: text/xml,application/xml,application/xhtml
+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: fr,fr-fr;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Cookie: PHPSESSID=5821d290d55454dbe7d820be094f7ea5
Cache-Control: max-age=0

--d7a49f7c-H--
Message: Access denied with code 500 (phase 1). Pattern match "\
\.(?:c(?:o(?:nf(?:ig)?|m)|s(?:proj|r)?|dx|er|fg|md)|p(?:rinter|ass|db|
ol|wd)|v(?:b(?:proj|s)?|sdisco)|a(?:s(?:ax?|cx)|xd)|s(?:html?|ql|tm|ys)|
d(?:bf?|at|ll|os)|i(?:d[acq]|n[ci])|ba(?:[kt]|ckup)|res(?:ources|x)|
l(?:icx|nk|og)|\\w{,5}~|webinfo|ht[rw]|xs ..." at REQUEST_BASENAME. [id
"960035"] [msg "URL file extension is restricted by policy"] [severity
"CRITICAL"]
Action: Intercepted (phase 1)
Stopwatch: 1195221961647358 943 (- - -)
Producer: ModSecurity v2.1.1 (Apache 2.x)
Server: Apache/2.0.52 (Red Hat)

--d7a49f7c-Z--

anybody use this log format ?

thanks.

-- 
FEST Jean-Sébastien
Chef de projet technique
j.fest at lp-system.fr