[mod-security-users] Source IP not shown in Audit logs.

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Hello,

I'm using nginx 1.9.x with modsecurity refactoring version but having
troubles with the modsecurity audit log, where should be the origin IP
I'm getting my hostname (waf).

There anybody know how to get the source IP for the blocked request ?

Audit Log:

[27/Feb/2018:16:26:45 --0300]
[waf/sid#7f34b85370a0][rid#7f34b01fb0a0][/botellas.php][1] Access denied
with code 403 (phase 2). Pattern match
"(^[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98;]+|[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98;]+$)"
at ARGS:id. [file
"/opt/waf/nginx/etc/modsec_rules/www.vinicas.cl/enabled_rules/modsecurity_crs_41_sql_injection_attacks.conf"]
[line "64"] [id "981318"] [rev "2"] [msg "SQL Injection Attack: Common
Injection Testing Detected"] [data "Matched Data: '' found within
ARGS:id: ''"] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.9"] [maturity
"9"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag
"WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"]
[tag "PCI/6.5.2"]

Cheers!

-- 
--
Chris