Always log the message in the auditlog if "auditlog" is used (MODSEC-78).

CHANGES

@@ -1,6 +1,10 @@
-22 July 2009 - 2.5.10-dev1
+23 July 2009 - 2.5.10-dev1
 --------------------------
 
+ * Using nolog,auditlog will now log the "Message:" line to the auditlog, but
+   nothing to the error log.  Prior versions dropped the "Message:" line from
+   both logs.  To do this now, just use "nolog" or "nolog,noauditlog".
+
  * Forced mlogc to use SSLv3 to avoid some potential auto negotiation
    issues with some libcurl versions.
 

apache2/modsecurity.c

@@ -26,17 +26,34 @@
 #include "msc_xml.h"
 
 /**
- * Log an alert message to the log, adding the rule metadata at the end.
+ * Format an alert message.
  */
-void msc_alert(modsec_rec *msr, int level, msre_actionset *actionset, const char *action_message,
+const char * msc_alert_message(modsec_rec *msr, msre_actionset *actionset, const char *action_message,
     const char *rule_message)
 {
     const char *message = NULL;
 
     if (rule_message == NULL) rule_message = "Unknown error.";
 
-    message = apr_psprintf(msr->mp, "%s %s%s", action_message,
+    if (action_message == NULL) {
-        rule_message, msre_format_metadata(msr, actionset));
+        message = apr_psprintf(msr->mp, "%s%s",
+            rule_message, msre_format_metadata(msr, actionset));
+    }
+    else {
+        message = apr_psprintf(msr->mp, "%s %s%s", action_message,
+            rule_message, msre_format_metadata(msr, actionset));
+    }
+
+    return message;
+}
+
+/**
+ * Log an alert message to the log, adding the rule metadata at the end.
+ */
+void msc_alert(modsec_rec *msr, int level, msre_actionset *actionset, const char *action_message,
+    const char *rule_message)
+{
+    const char *message = msc_alert_message(msr, actionset, action_message, rule_message);
 
     msr_log(msr, level, "%s", message);
 }

apache2/modsecurity.h

@@ -545,6 +545,9 @@ apr_status_t DSOLOCAL modsecurity_request_body_retrieve(modsec_rec *msr, msc_dat
 void DSOLOCAL msc_add(modsec_rec *msr, int level, msre_actionset *actionset,
     const char *action_message, const char *rule_message);
 
+const char DSOLOCAL *msc_alert_message(modsec_rec *msr, msre_actionset *actionset, const char *action_message,
+    const char *rule_message);
+
 void DSOLOCAL msc_alert(modsec_rec *msr, int level, msre_actionset *actionset, const char *action_message,
     const char *rule_message);
 

apache2/re.c

@@ -1660,8 +1660,22 @@ static void msre_perform_disruptive_actions(modsec_rec *msr, msre_rule *rule,
         || (msr->modsecurity->processing_mode == MODSEC_OFFLINE)
         || (actionset->intercept_action == ACTION_NONE))
     {
+        int log_level;
+
         /* If "nolog" was used log at a higher level to prevent an "alert". */
-        int log_level = (actionset->log == 0 ? 4 : 2);
+        if (actionset->log == 0) {
+            log_level = 4;
+
+            /* But, if "auditlog" is enabled, then still add the message. */
+            if (actionset->auditlog != 0) {
+                *(const char **)apr_array_push(msr->alerts) = msc_alert_message(msr, actionset, NULL, message);
+            }
+
+        }
+        else {
+            log_level = 2;
+        }
+
         msc_alert(msr, log_level, actionset, "Warning.", message);
 
         /* However, this will mark the txn relevant again if it is <= 3,