Log Format adjustment to log X-Forwarded-For (realip)

[Rdago]

Regarding #2447 one comment told to adjust the apache2 error log in order to retrieve the X-Forwarded-For Header in Modsecurity logs. This is not possible in standalone version as there is no apache2 configuration available.

Is there any way to change the log behaviour of debug.log in Modsecurity standalone for example by adjusting the modsecurity.conf file?

What I´d like to have is a the possibility to log the ip address from the x-forwarded-for header in debug.log.

Thanks

[martinhsv]

Hello @Rdago ,

Just to note first that the value of X-Forwarded-For (like other request headers) is available in the audit log in section B.

If you specifically want that output in the debug log, one way to do it would be to create a rule that triggers that output. Something like:

SecRule REQUEST_HEADERS:X-Forwarded-For "@rx .*" "id:1083,phase:1,nolog,pass"

Keep in mind, however, that leaving the debug log turned on in a production environment tends to be very costly in terms of performance, and it can consume your disk space very quickly. The debug log is great for debugging and some experimentation, but it's unlikely to be an advisable solution for any ongoing production reporting.

[Rdago]

Hello @martinhsv

thanks for your answer.

I managed another way to do this because my setup is kindly different and more complex than usual. Is there a way I can log the unique ID on every created debug log? For Every Rule I´d like to log the Unique ID.

Maybe you have a tip for me.

[martinhsv]

Assuming you mean the unique_id that ordinarily appears in the audit log's part H as something like:

[unique_id "1643210622"]

That unique id is available as the first line of each relevant line in the debug log. E.g.:

[1643210622] [] [4] Initializing transaction

[Rdago]

Yeah I`d like to see this in my debug.log like this:

 [file "/etc/modsecurity/owasp-m
odsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "735"] [id "920350"] [msg "Host header is a numeric IP address"] [data "REDACTED"] [severity "WARNING"] [v
er "OWASP_CRS/3.3.0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000
/210/272"] [tag "PCI/6.5.10"] [hostname "REDACTED"] [uri "REDACTED"] [unique_id "REDACTED"]

but instead I get log messages like this:

[26/Jan/2022:15:42:57.567204 +0000] [8b4b34c207e5/sid#7f511c2809c0][rid#7f511a0608d0][REDACTED][2] Warning. Operator GT matched 1 at TX:executing_anomaly_score. [file "/etc/modsecurity/owasp-modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf"] [line "77"] [id "980120"] [msg "Inbound Anomaly Score (Total Inbound Score: 0 - SQLI=0,XSS=0,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): individual paranoia level scores: 3, 0, 0, 0"] [ver "OWASP_CRS/3.4.0-dev"] [tag "event-correlation"]

[martinhsv]

The debug log is not really intended to duplicate the content of the audit log.

Another way that you can output the unique_id explicitly is with the variable of that name: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-%28v2.x%29#unique_id

You could create a rule simply for the purpose of outputing that value (similar to the X-Forwarded-For rule I provided earlier).

It is possible, though, that whatever is causing the unique id to not appear on the debug log lines might prevent this option from working too. Without knowing the reason it's hard to be sure.

Note that if you aren't seeing the unique_id ever, that may imply that you do not have it loaded. With ModSecurity v2 with Apache, mod_unique_id.so must be loaded for that functionality to work. (Since your '[unique_id "REDACTED"]' citation implies that you are seeing the unique id in the audit log, that may not be the explanation, but it's something that you can check.)

In any case, since we've dealt with the inquiry that began and entitled this issue, I'm going to go ahead and close this item.