Can I print apache environment variable in error log?

Question

I want to print mod_security anomaly score to apache error log. I use setenv to set enviroment variable, and %{name}e syntax to print it in log.

Modsecurity config:

SecAction "id:90100,phase:5,pass, nolog, setenv:ModSecAnomalyScoreIn=%{tx.anomaly_score}, setenv:ModSecAnomalyScoreOut=%{TX.outbound_anomaly_score}"

Apache config:

ErrorLogFormat "[...] [anomaly_score_in: %-{ModSecAnomalyScoreIn}e, anomaly_score_out: %-{ModSecAnomalyScoreOut}e ]"

But the output is empty: [...] [anomaly_score_in: -, anomaly_score_out: - ]

If I add SecAction "id:9990101,phase:5,pass, log, msg:'in: %{env.anomaly_score}, out: %{env.ModSecAnomalyScoreOut}', scores are printed, but in new log line.

Where did I go wrong?

Does the %{name}e in ErrorLogFormat is equal to %{VARNAME}e in mod_log_config?

Answer 1

Why do you have a dash between the % and the { in the first non-working example?

Also the Modsecurity reference manual says you should use %{modsecurity_variable_name}M instead of %{modsecurity_variable_name}e.

So I believe your final config should be:

ErrorLogFormat "[...] [anomaly_score_in: %{ModSecAnomalyScoreIn}M, anomaly_score_out: %{ModSecAnomalyScoreOut}M ]"

Note also that custom ErrorLogFormats only work with ModSecurity 2.9.1 or above: https://github.com/SpiderLabs/ModSecurity/pull/840