Skip to content

Standalone module no longer logs client IP to error log #3373

Description

@RedXanadu

Describe the bug

The 2.9.8 release introduced a bug for the "standalone module" version of ModSecurity v2 whereby the client source IP address is no longer written to the error log.

This is a very big problem as it is common to rely on the error log output for the purposes of monitoring, resolving false positives, identifying attacks, producing statistics / reports / dashboards, and more. Without the client's IP address in the error logs these tasks become impossible.

This bug was introduced in PR #3192 during an effort to tidy error logging in v2 for Apache. The format strings that control error logging were altered to remove the explicit [client %s] output at the start of the log line. It seems that Apache will implicitly write this source IP information, making it redundant for ModSecurity to add. A standalone (Apache-less) compilation of ModSecurity requires the [client %s] information to be explicitly written to the error log as Apache is not present to implicitly write it.

Logs and dumps

Error log examples:

Before updating to ModSecurity 2.9.8:

2025-05-06T17:02:29+00:00 loadbalancer wafservice: [client 192.168.1.131] ModSecurity: Warning. Matched phrase "bin/bash" at ARGS:exec...

After updating to ModSecurity 2.9.8:

2025-05-06T15:46:11+00:00 loadbalancer wafservice: ModSecurity: Warning. Matched phrase "bin/bash" at ARGS:exec. [file "/waf/3/REQ...

Notice that the [client 192.168.1.131] section is now gone. The client source IP address is no longer written to the error log at all.

To Reproduce

Compile ModSecurity v2.9.8 in standalone mode, trigger a rule, and observe that the source IP address of the client is omitted.

Expected behaviour

The client source IP address must always be written to the error log.

Server:

  • ModSecurity v2.9.8, standalone mode
  • WebServer: n/a
  • OS (and distro): Debian

Rule Set (please complete the following information):

  • OWASP CRS v3.3.7

Metadata

Metadata

Assignees

No one assigned

    Labels

    2.xRelated to ModSecurity version 2.x

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions