diff --git a/ChangeLog b/ChangeLog
index d9f0f171..11f43739 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -51,6 +51,9 @@ ver. 0.10.5-dev-1 (20??/??/??) - development edition
 * `action.d/badips.py`: fixed start of banaction on demand (which may be IP-family related), gh-2390
 * `action.d/helpers-common.conf`: rewritten grep arguments, now options `-wF` used to match only
   whole words and fixed string (not as pattern), gh-2298
+* `filter.d/apache-auth.conf`:
+  - ignore errors from mod_evasive in `normal` mode (mode-controlled now) (gh-2548);
+  - extended with option `mode` - `normal` (default) and `aggressive`
 * `filter.d/sshd.conf`:
   - matches `Bad protocol version identification` in `ddos` and `aggressive` modes (gh-2404).
   - captures `Disconnecting ...: Change of username or service not allowed` (gh-2239, gh-2279)
diff --git a/config/filter.d/apache-auth.conf b/config/filter.d/apache-auth.conf
index 91c89b26..40f6d6e3 100644
--- a/config/filter.d/apache-auth.conf
+++ b/config/filter.d/apache-auth.conf
@@ -9,6 +9,16 @@ before = apache-common.conf
 
 [Definition]
 
+# Mode for filter: normal (default) and aggressive (allows DDoS & brute force detection of mod_evasive)
+mode = normal
+
+# ignore messages of mod_evasive module:
+apache-pref-ign-normal = (?!evasive)
+# allow "denied by server configuration" from all modules:
+apache-pref-ign-aggressive =
+# mode related ignore prefix for common _apache_error_client substitution:
+apache-pref-ignore = <apache-pref-ign-<mode>>
+
 prefregex = ^%(_apache_error_client)s (?:AH\d+: )?<F-CONTENT>.+</F-CONTENT>$
 
 # auth_type = ((?:Digest|Basic): )?
diff --git a/config/filter.d/apache-common.conf b/config/filter.d/apache-common.conf
index 3eec83d0..6577fe7d 100644
--- a/config/filter.d/apache-common.conf
+++ b/config/filter.d/apache-common.conf
@@ -27,7 +27,9 @@ _daemon = (?:apache\d*|httpd(?:/\w+)?)
 
 apache-prefix = <apache-prefix-<logging>>
 
-_apache_error_client = <apache-prefix>\[(:?error|\S+:\S+)\]( \[pid \d+(:\S+ \d+)?\])? \[client <HOST>(:\d{1,5})?\]
+apache-pref-ignore =
+
+_apache_error_client = <apache-prefix>\[(:?error|<apache-pref-ignore>\S+:\S+)\]( \[pid \d+(:\S+ \d+)?\])? \[client <HOST>(:\d{1,5})?\]
 
 datepattern = {^LN-BEG}
 
diff --git a/fail2ban/tests/files/logs/apache-auth b/fail2ban/tests/files/logs/apache-auth
index 93040b1d..fd3bae82 100644
--- a/fail2ban/tests/files/logs/apache-auth
+++ b/fail2ban/tests/files/logs/apache-auth
@@ -134,6 +134,14 @@
 # failJSON: { "time": "2018-03-28T01:31:42", "match": true , "host": "91.49.82.139" }
 [Wed Mar 28 01:31:42.355210 2018] [ssl:error] [pid 6586] [client 91.49.82.139:58028] AH02033: No hostname was provided via SNI for a name based virtual host
 
+# failJSON: { "match": false, "desc": "ignore mod_evasive errors in normal mode (gh-2548)" }
+[Thu Oct 17 18:43:40.160521 2019] [evasive20:error] [pid 22589] [client 192.0.2.1:56175] client denied by server configuration: /path/index.php, referer: https://hostname/path/
+
+# filterOptions: {"mode": "aggressive"}
+
+# failJSON: { "time": "2019-10-17T18:43:40", "match": true, "host": "192.0.2.1", "desc": "accept mod_evasive errors in aggressive mode (gh-2548)" }
+[Thu Oct 17 18:43:40.160521 2019] [evasive20:error] [pid 22589] [client 192.0.2.1:56175] client denied by server configuration: /path/index.php, referer: https://hostname/path/
+
 # filterOptions: {"logging": "syslog"}
 
 # failJSON: { "time": "2005-02-15T16:23:00", "match": true , "host": "192.0.2.1", "desc": "using syslog (ErrorLog syslog)" }