owasp-modsecurity · marcstern · Apr 27, 2017 · May 3, 2017 · May 5, 2017 · May 5, 2017
diff --git a/CHANGES b/CHANGES
@@ -1,6 +1,9 @@
 DD MMM YYYY - 2.9.2 - To be released
 ------------------------------------
 
+ * {dis|en}able-server-context-logging: Option to disable logging of
+   server info (log producer, sanitized objects, ...) in audit log.
+   [Issue #1069 - Marc Stern]
  * Allow drop to work with mod_http2
    [Issue #1308, #992 - @bazzadp]
  * Fix SecConn(Read|Write)StateLimit on Apache 2.4

diff --git a/apache2/msc_logging.c b/apache2/msc_logging.c
@@ -1180,6 +1180,9 @@ void sec_audit_logger_json(modsec_rec *msr) {
             yajl_kv_bool(g, "response_body_dechunked", 1);
         }
 
+#ifdef LOG_NO_SERVER_CONTEXT
+        if (msr->txcfg->debuglog_level >= 9) {
+#endif
         sec_auditlog_write_producer_header_json(msr, g);
 
         /* Server */
@@ -1274,6 +1277,9 @@ void sec_audit_logger_json(modsec_rec *msr) {
         if (been_opened == 1) {
             yajl_gen_map_close(g); // sanitized args map is finished
         }
+#ifdef LOG_NO_SERVER_CONTEXT
+		}
+#endif
 
         /* Web application info. */
         if ( ((msr->txcfg->webappid != NULL)&&(strcmp(msr->txcfg->webappid, "default") != 0))
@@ -2022,6 +2028,9 @@ void sec_audit_logger_native(modsec_rec *msr) {
             sec_auditlog_write(msr, text, strlen(text));
         }
 
+#ifdef LOG_NO_SERVER_CONTEXT
+        if (msr->txcfg->debuglog_level >= 9) {
+#endif
         sec_auditlog_write_producer_header(msr);
 
         /* Server */
@@ -2090,8 +2099,11 @@ void sec_audit_logger_native(modsec_rec *msr) {
                 sec_auditlog_write(msr, text, strlen(text));
             }
         }
+#ifdef LOG_NO_SERVER_CONTEXT
+		}
+#endif
 
-        /* Web application info. */
+		/* Web application info. */
         if ( ((msr->txcfg->webappid != NULL)&&(strcmp(msr->txcfg->webappid, "default") != 0))
             || (msr->sessionid != NULL) || (msr->userid != NULL))
         {

diff --git a/configure.ac b/configure.ac
@@ -487,6 +487,19 @@ AC_ARG_ENABLE(handler-logging,
   log_handler=''
 ])
 
+# Disable logging of server context
+AC_ARG_ENABLE(server-context-logging,
+              AS_HELP_STRING([--enable-server-context-logging],
+                             [Enable logging of server info (log producer, sanitized objects, ...) in audit log when log level < 9. This is the default]),
+[
+  if test "$enableval" != "no"; then
+    log_server_context=
+  else
+    log_server_context="-DLOG_NO_SERVER_CONTEXT"
+  fi
+],
+[
+  log_server_context=''
 # Disable logging of dechunking
 AC_ARG_ENABLE(dechunk-logging,
               AS_HELP_STRING([--enable-dechunk-logging],
@@ -767,7 +780,7 @@ else
   fi
 fi
 
-MODSEC_EXTRA_CFLAGS="$pcre_study $pcre_match_limit $pcre_match_limit_recursion $pcre_jit $request_early $htaccess_config $lua_cache $debug_conf $debug_cache $debug_acmp $debug_mem $perf_meas $modsec_api $cpu_type $unique_id $log_filename $log_server $log_collection_delete_problem $log_dechunk $log_stopwatch $log_handler"
+MODSEC_EXTRA_CFLAGS="$pcre_study $pcre_match_limit $pcre_match_limit_recursion $pcre_jit $request_early $htaccess_config $lua_cache $debug_conf $debug_cache $debug_acmp $debug_mem $perf_meas $modsec_api $cpu_type $unique_id $log_filename $log_server $log_collection_delete_problem $log_dechunk $log_stopwatch $log_handler $log_server_context"
 
 APXS_WRAPPER=build/apxs-wrapper
 APXS_EXTRA_CFLAGS=""