ModSecurity won’t apply rules – no error log entries [migrated]

I have a fresh installation of CentOS 8. I installed Apache 2.4.37 from the repo. Then installed the latest ModSecurity:

dnf install mod_security -y 

Checked the installation

dnf info mod_security 

Result:

Name         : mod_security Version      : 2.9.2 

The required Apache modules are available / loaded:

apachectl -M | grep security -> security2_module (shared) apachectl -M | grep unique -> unique_id_module (shared) 

Installed the core rule set from the repo:

dnf install mod_security_crs 

which automatically links the rules into the apache folder

/etc/httpd/modsecurity.d/activated_rules 

Rules have been checked / are at place.

The main config file

/etc/httpd/conf.d/mod_security.conf 

includes necessary further config files, including the rules conf files themselves:

IncludeOptional /etc/httpd/modsecurity.d/crs-setup.conf IncludeOptional /etc/httpd/modsecurity.d/activated_rules/*.conf IncludeOptional /etc/httpd/modsecurity.d/local_rules/*.conf 

(paths have been double-checked) and activates the rules engine:

SecRuleEngine On 

The rules config file modsecurity.d/crs-setup.conf (which is included in mod_security.conf, see above) provides

SecDefaultAction "phase:1,log,auditlog,deny,status:403" SecDefaultAction "phase:2,log,auditlog,deny,status:403" 

Apache httpd.conf calls ModSecurity:

SecStatusEngine On 

A restart (apachectl restart) shows that ModSecurity was loaded successfully:

ModSecurity: StatusEngine call successfully sent. <-- including LUA etc. 

Tests with manipulated URLs like a script insert:

/?q=%22%3E%3Cscript%3Ealert(1)%3C/script%3E%27 

show no reaction whatsoever on ModSecurity’s side. No entries at all in ModSecuritie’s audit and debug log files (debug level was set to 3), no errors in Apache’s log files.