Skip to content

Standalone module no longer logs client IP to error log #3373

Closed
@RedXanadu

Description

@RedXanadu

Describe the bug

The 2.9.8 release introduced a bug for the "standalone module" version of ModSecurity v2 whereby the client source IP address is no longer written to the error log.

This is a very big problem as it is common to rely on the error log output for the purposes of monitoring, resolving false positives, identifying attacks, producing statistics / reports / dashboards, and more. Without the client's IP address in the error logs these tasks become impossible.

This bug was introduced in PR #3192 during an effort to tidy error logging in v2 for Apache. The format strings that control error logging were altered to remove the explicit [client %s] output at the start of the log line. It seems that Apache will implicitly write this source IP information, making it redundant for ModSecurity to add. A standalone (Apache-less) compilation of ModSecurity requires the [client %s] information to be explicitly written to the error log as Apache is not present to implicitly write it.

Logs and dumps

Error log examples:

Before updating to ModSecurity 2.9.8:

2025-05-06T17:02:29+00:00 loadbalancer wafservice: [client 192.168.1.131] ModSecurity: Warning. Matched phrase "bin/bash" at ARGS:exec...

After updating to ModSecurity 2.9.8:

2025-05-06T15:46:11+00:00 loadbalancer wafservice: ModSecurity: Warning. Matched phrase "bin/bash" at ARGS:exec. [file "/waf/3/REQ...

Notice that the [client 192.168.1.131] section is now gone. The client source IP address is no longer written to the error log at all.

To Reproduce

Compile ModSecurity v2.9.8 in standalone mode, trigger a rule, and observe that the source IP address of the client is omitted.

Expected behaviour

The client source IP address must always be written to the error log.

Server:

  • ModSecurity v2.9.8, standalone mode
  • WebServer: n/a
  • OS (and distro): Debian

Rule Set (please complete the following information):

  • OWASP CRS v3.3.7

Metadata

Metadata

Assignees

No one assigned

    Labels

    2.xRelated to ModSecurity version 2.x

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions