Skip to content

Use standard httpd logging format in error log#3192

Merged
airween merged 5 commits intoowasp-modsecurity:v2/masterfrom
marcstern:v2/pr/errorlog
Aug 12, 2024
Merged

Use standard httpd logging format in error log#3192
airween merged 5 commits intoowasp-modsecurity:v2/masterfrom
marcstern:v2/pr/errorlog

Conversation

@marcstern
Copy link

@marcstern marcstern commented Jul 22, 2024
edited
Loading

All credits to @arminabf - see #1997

Use the server context, like in all other places to use standard httpd format.

Remark: We previously had a mix; some entries were using the standard httpd format, some not.
Entries using the standard httpd format had the [client] field duplicated.
In this PR, we use standard logging for all lines and remove the duplicated field.
Actual changes:

  • entries that were not using the standard format will use it
  • entries that were using the standard format won't have the [client] field duplicated anymore

Remove redundant entry
0be1f15 
[client %s] is added by the standard httpd log function => remove it
@fzipi
Copy link
Collaborator

fzipi commented Jul 31, 2024

Is there a way to actually test this change?

@theseion
Copy link
Collaborator

theseion commented Aug 1, 2024

Sounds good, but I'm with @fzipi. From the code it's not clear what the output will be. Does the [client] field still contain the same IP address that ModSecurity would have injected in every case?

@marcstern
Copy link
Author

marcstern commented Aug 1, 2024

Sounds good, but I'm with @fzipi. From the code it's not clear what the output will be. Does the [client] field still contain the same IP address that ModSecurity would have injected in every case?

Yes, same logic: useragent_ip if present, client_ip otherwise

@marcstern
Copy link
Author

marcstern commented Aug 1, 2024

Code from httpd log.c

if (info->r) {
    len += apr_snprintf(buf + len, buflen - len,
                        info->r->connection->sbh ? "[client %s:%d] " : "[remote %s:%d] ",
                        info->r->useragent_ip,
                        info->r->useragent_addr ? info->r->useragent_addr->port : 0);
}
else if (info->c) {
    len += apr_snprintf(buf + len, buflen - len,
                        info->c->sbh ? "[client %s:%d] " : "[remote %s:%d] ",
                        info->c->client_ip,
                        info->c->client_addr ? info->c->client_addr->port : 0);
}

@theseion
Copy link
Collaborator

theseion commented Aug 2, 2024

That's good. But a test that asserts the log format would be even better.

@marcstern marcstern added the 2.x Related to ModSecurity version 2.x label Aug 7, 2024
@marcstern
Copy link
Author

marcstern commented Aug 7, 2024

I added some tests

@theseion
Copy link
Collaborator

theseion commented Aug 7, 2024

Thanks, that's great. @airween, isn't there a test suite for ModSecurity where the test could be added?

airween
airween requested changes Aug 7, 2024
View reviewed changes
@airween
Copy link
Member

airween commented Aug 7, 2024

Thanks, that's great. @airween, isn't there a test suite for ModSecurity where the test could be added?

Unfortunately no, there isn't.

We have only this CI:

And as @marcstern wrote, he added a test (but I'm not sure that's what we expect - I'm waiting for Marc's answer).

But as I introduced few weeks ago, there is MRTS, where the aim is to create a full covered test suite. Feel free to review and contribute! 😄

Define _FORTIFY_SOURCE=3 & _GLIBCXX_ASSERTIONS that add glibc/libstdc…
d704af6 
…++ assertions.

See https://www.gnu.org/software/libc/manual/html_node/Source-Fortification.html & https://gcc.gnu.org/wiki/LibstdcxxDebugMode

_GLIBCXX_ASSERTIONS is probably useless as we have pure C here, but let's define it in case some checks are included (or will be in a future version).
As we handle some requests here, that may help to trap a problem.
@sonarqubecloud
Copy link

sonarqubecloud bot commented Aug 8, 2024

Quality Gate Passed Quality Gate passed

Issues
Image 0 New issues
Image 0 Accepted issues

Measures
Image 0 Security Hotspots
Image 0.0% Coverage on New Code
Image 0.0% Duplication on New Code

See analysis details on SonarCloud

@airween airween merged commit 935e68c into owasp-modsecurity:v2/master Aug 12, 2024
This was referenced May 9, 2025
Closed
Merged
@airween airween mentioned this pull request Jun 23, 2025
Open
@dune73 dune73 mentioned this pull request Dec 2, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@airween airween airween approved these changes

Assignees

@airween airween

Labels

2.x Related to ModSecurity version 2.x

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@marcstern @fzipi @theseion @airween