mod_ruid2 v0.9.8 ➜ vhost config has RUidGid dantest dantest in this case
mod_mpm_itk v2.4.7.4 ➜ vhost config has AssignUserID dantest dantest in this case
Reproduce:
Under mod_ruid2 or mod_mpm_itk:
Given this modsecurity_rules 'SecAuditLog /etc/apache2/logs/modsec_audit.log':
curl 127.0.0.1/something-that-trips-a-rule ➜ ✅ is in /etc/apache2/logs/modsec_audit.log
curl ip.addr.on.server/something-that-trips-a-rule ➜ ✅ is in /etc/apache2/logs/modsec_audit.log
curl localhost/something-that-trips-a-rule ➜ ✅ is in /etc/apache2/logs/modsec_audit.log
curl domain.on.server.example.com/something-that-trips-a-rule ➜ 🚨 is NOT in /etc/apache2/logs/modsec_audit.log
w/out either mod_ruid2 or mod_mpm_itk that domain based request is logged to /etc/apache2/logs/modsec_audit.log
According to the docs both concurrent (mod_ruid2 and mod_mpm_itk turn that on IIRC) and serial logging (w/out mod_ruid2 or mod_mpm_itk) should result in something being put inSecAuditLog:
This file will be used to store the audit log entries if serial audit logging format is used. If concurrent audit logging format is used this file will be used as an index, and contain a record of all audit log files created.
Versions
RUidGid dantest dantestin this caseAssignUserID dantest dantestin this caseReproduce:
Under mod_ruid2 or mod_mpm_itk:
Given this
modsecurity_rules 'SecAuditLog /etc/apache2/logs/modsec_audit.log':w/out either mod_ruid2 or mod_mpm_itk that domain based request is logged to /etc/apache2/logs/modsec_audit.log
According to the docs both concurrent (mod_ruid2 and mod_mpm_itk turn that on IIRC) and serial logging (w/out mod_ruid2 or mod_mpm_itk) should result in something being put in
SecAuditLog: