Under mod_ruid2 ot mod_mpm_itk SecAuditLog is only being logged to when request is to an IP (or localhost)

[drmuey]

Versions

• Apache v2.4.46
• mod sec v3.0.4
• Apache connector v0.0.9beta1
• either
  • mod_ruid2 v0.9.8 ➜ vhost config has RUidGid dantest dantest in this case
  • mod_mpm_itk v2.4.7.4 ➜ vhost config has AssignUserID dantest dantest in this case

Reproduce:

Under mod_ruid2 or mod_mpm_itk:

Given this modsecurity_rules 'SecAuditLog /etc/apache2/logs/modsec_audit.log':

• curl 127.0.0.1/something-that-trips-a-rule ➜ ✅ is in /etc/apache2/logs/modsec_audit.log
• curl ip.addr.on.server/something-that-trips-a-rule ➜ ✅ is in /etc/apache2/logs/modsec_audit.log
• curl localhost/something-that-trips-a-rule ➜ ✅ is in /etc/apache2/logs/modsec_audit.log
• curl domain.on.server.example.com/something-that-trips-a-rule ➜ 🚨 is NOT in /etc/apache2/logs/modsec_audit.log

w/out either mod_ruid2 or mod_mpm_itk that domain based request is logged to /etc/apache2/logs/modsec_audit.log

According to the docs both concurrent (mod_ruid2 and mod_mpm_itk turn that on IIRC) and serial logging (w/out mod_ruid2 or mod_mpm_itk) should result in something being put inSecAuditLog:

This file will be used to store the audit log entries if serial audit logging format is used. If concurrent audit logging format is used this file will be used as an index, and contain a record of all audit log files created.