How to put specific rules in OWASP core ruleset in detection mode?

How to put specific rules in OWASP core ruleset in detection mode?

This is the content of my RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf

# Set the rules to detection mode (they will log but not block)
SecRuleUpdateActionById 941100 "pass,log"
SecRuleUpdateActionById 941110 "pass,log"
SecRuleUpdateActionById 941160 "pass,log"
SecRuleUpdateActionById 941390 "pass,log"

When I try to send a request with a XSS payload(The rules mentioned above are the ones that are supposed to detect XSS) to my nginx server, I'm still getting 403 status code even thought I have told Modsecurity explicitly to pass the requst if any of the above mentioned rules match.

Audit Log Output

ModSecurity: Warning. detected XSS using libinjection. [file "/usr/local/coreruleset-4.4.0/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "82"] [id "941100"] [rev ""] [msg "XSS Attack Detected via libinjection"] [data "Matched Data: XSS data found within ARGS:username: <script>alert('XSS')</script>"] [severity "2"] [ver "OWASP_CRS/4.4.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "xss-perf-disable"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/242"] [hostname "10.38.135.193"] [uri "/"] [unique_id "172775143962.900184"] [ref "v292,29t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls"]
ModSecurity: Warning. Matched "Operator `Rx' with parameter `(?i)<script[^>]*>[\s\S]*?' against variable `ARGS:username' (Value: `<script>alert('XSS')</script>' ) [file "/usr/local/coreruleset-4.4.0/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "108"] [id "941110"] [rev ""] [msg "XSS Filter - Category 1: Script Tag Vector"] [data "Matched Data: <script> found within ARGS:username: <script>alert('XSS')</script>"] [severity "2"] [ver "OWASP_CRS/4.4.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "xss-perf-disable"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/242"] [hostname "10.38.135.193"] [uri "/"] [unique_id "172775143962.900184"] [ref "o0,8v292,29t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls"]
ModSecurity: Warning. Matched "Operator `Rx' with parameter `(?i)<[^0-9<>A-Z_a-z]*(?:[^\s\x0b\"'<>]*:)?[^0-9<>A-Z_a-z]*[^0-9A-Z_a-z]*?(?:s[^0-9A-Z_a-z]*?(?:c[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?p[^0-9A-Z_a-z]*?t|t[^0-9A-Z_a-z]*?y[^0-9A-Z_a-z]*?l[^0-9A (4341 characters omitted)' against variable `ARGS:username' (Value: `<script>alert('XSS')</script>' ) [file "/usr/local/coreruleset-4.4.0/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "200"] [id "941160"] [rev ""] [msg "NoScript XSS InjectionChecker: HTML Injection"] [data "Matched Data: <script found within ARGS:username: <script>alert('XSS')</script>"] [severity "2"] [ver "OWASP_CRS/4.4.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "xss-perf-disable"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/242"] [hostname "10.38.135.193"] [uri "/"] [unique_id "172775143962.900184"] [ref "o0,7v292,29t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls"]
ModSecurity: Warning. Matched "Operator `Rx' with parameter `(?i)\b(?:eval|set(?:timeout|interval)|new[\s\x0b]+Function|a(?:lert|tob)|btoa|prompt|confirm)[\s\x0b]*\(' against variable `ARGS:username' (Value: `<script>alert('XSS')</script>' ) [file "/usr/local/coreruleset-4.4.0/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "713"] [id "941390"] [rev ""] [msg "Javascript method detected"] [data "Matched Data: alert( found within ARGS:username: <script>alert('XSS')</script>"] [severity "2"] [ver "OWASP_CRS/4.4.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "attack-xss"] [tag "xss-perf-disable"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/242"] [hostname "10.38.135.193"] [uri "/"] [unique_id "172775143962.900184"] [ref "o8,6v292,29t:htmlEntityDecode,t:jsDecode"]
ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:BLOCKING_INBOUND_ANOMALY_SCORE' (Value: `20' ) [file "/usr/local/coreruleset-4.4.0/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "222"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 20)"] [data ""] [severity "0"] [ver "OWASP_CRS/4.4.0"] [maturity "0"] [accuracy "0"] [tag "anomaly-evaluation"] [tag "OWASP_CRS"] [hostname "10.38.135.193"] [uri "/"] [unique_id "172775143962.900184"] [ref ""]

This is the path of my rules folder

/usr/local/coreruleset-4.4.0/rules

This is how i'm loading the rules in the main.conf file

Include /etc/nginx/modsec/modsecurity.conf

Include /usr/local/coreruleset-4.4.0/crs-setup.conf
Include /usr/local/coreruleset-4.4.0/rules/*.conf