Description
Describe the bug
The 2.9.8 release introduced a bug for the "standalone module" version of ModSecurity v2 whereby the client source IP address is no longer written to the error log.
This is a very big problem as it is common to rely on the error log output for the purposes of monitoring, resolving false positives, identifying attacks, producing statistics / reports / dashboards, and more. Without the client's IP address in the error logs these tasks become impossible.
This bug was introduced in PR #3192 during an effort to tidy error logging in v2 for Apache. The format strings that control error logging were altered to remove the explicit [client %s]
output at the start of the log line. It seems that Apache will implicitly write this source IP information, making it redundant for ModSecurity to add. A standalone (Apache-less) compilation of ModSecurity requires the [client %s]
information to be explicitly written to the error log as Apache is not present to implicitly write it.
Logs and dumps
Error log examples:
Before updating to ModSecurity 2.9.8:
2025-05-06T17:02:29+00:00 loadbalancer wafservice: [client 192.168.1.131] ModSecurity: Warning. Matched phrase "bin/bash" at ARGS:exec...
After updating to ModSecurity 2.9.8:
2025-05-06T15:46:11+00:00 loadbalancer wafservice: ModSecurity: Warning. Matched phrase "bin/bash" at ARGS:exec. [file "/waf/3/REQ...
Notice that the [client 192.168.1.131]
section is now gone. The client source IP address is no longer written to the error log at all.
To Reproduce
Compile ModSecurity v2.9.8 in standalone mode, trigger a rule, and observe that the source IP address of the client is omitted.
Expected behaviour
The client source IP address must always be written to the error log.
Server:
- ModSecurity v2.9.8, standalone mode
- WebServer: n/a
- OS (and distro): Debian
Rule Set (please complete the following information):
- OWASP CRS v3.3.7