module name not recorded in apache error.log

[benkr94]

Here is a sample entry from error.log written by this module:

[Tue May 03 13:27:18.000422 2016] [:notice] [pid 14:tid 139983030101888] ModSecurity for Apache/2.7.7 (http://www.modsecurity.org/) configured.

I am using the default apache2 ErrorLogFormat. In lines written by other modules, the module name appears in the second set of brackets before the log level (eg, [pagespeed:warn] or [core:error]). Why does security2 appear to give an empty string here? This occurs for all error log lines for this module.

[csanders-git]

Actually looking at the code i'm not quite sure as to why this is. I'm rather unsure of where Apache gleans this information from.
The code itself is rather straight forward: https://github.com/SpiderLabs/ModSecurity/blob/808ea48263f2123ea7b8d56678b16ea42855cfb3/apache2/mod_security2.c#L743-L744
Both apache documentation and module development docs don't seem to help much (http://docstore.mik.ua/orelly/apache_mod/143.htm)

[zimmerle]

The lines that you used as example, is part of the "startup banner" of ModSecurity. During the execution you still get the same behavior? Can you paste an example?

[benkr94]

Yes, during execution I get the same behavior. Here's an example:

[Mon Jul 11 14:50:28.988861 2016] [:error] [pid 3771:tid 139947475703552] [client 5.9.130.135] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(/\\\\*!?|\\\\*/|[';]--|--[\\\\s\\\\r\\\\n\\\\v\\\\f]|(?:--[^-]*?-)|([^\\\\-&])#.*?[\\\\s\\\\r\\\\n\\\\v\\\\f]|;?\\\\x00)" at ARGS_NAMES:;--. [file "/owasp-modsecurity-crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "49"] [id "981231"] [rev "2"] [msg "SQL Comment Sequence Detected."] [data "Matched Data: ;-- found within ARGS_NAMES:;--: ;--"] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.9"] [maturity "8"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"] [hostname "omitted"] [uri "/"] [unique_id "V4OyNKwRAAIAAA67KCwAAABF"]

[zimmerle]

@dune73 Do you think that it is somehow related to #840 ?

[dune73]

It's a shortcoming of ModSec with Apache 2.4 I am aware of but did not fix in #840. See initial before/after in #840. It's just that my Apache writes - instead of empty string like @benkr94's Apache. Probably a version thing. Would be nice to see this fixed.

For what is worth, you can always filter for ModSecurity so it is not a killer bug.

[diablodale]

repros on:
Ubuntu Server 16.04.2 LTS amd64
Apache 2.4.18
mod_security 2.9.0

[Wed Mar 15 07:19:15.305681 2017] [:error] [pid 12409] [client x.x.x.x] ModSecurity: ...

[dune73]

Yep. Exactly.

[tomsommer]

Any ETA on a fix? Would be really helpful for logging, if this worked.

[zimmerle]

@tomsommer There is no ETA to have it fixed, in the meanwhile I think it is safe to consider the "ModSecurity:" as suggested by @dune73

[tomsommer]

Right, it would just be nice with unified loglines, "client ip" is also duplicated, as described in #840 (comment)

[joppino]

It depends on how you declare the module: use
AP_DECLARE_MODULE(use_your_module_name_here) = {
STANDARD20_MODULE_STUFF,
NULL, /* Per-directory configuration handler */
NULL, /* Merge handler for per-directory configurations */
xxxxxx, /* Per-server configuration handler */
NULL, /* Merge handler for per-server configurations */
yyyyyy, /* Configure parameter */
zzzzzz, /* Our hook registering function */
#if defined(AP_MODULE_FLAG_NONE)
AP_MODULE_FLAG_ALWAYS_MERGE
#endif

};

[azurit]

+1 for fixing this

[martinhsv]

The PR #2781 appears to have successfully resolved this issue.