Skip to content

Audit log match does not represent chained rules #3569

Open
Open
Audit log match does not represent chained rules#3569
Labels
3.xRelated to ModSecurity version 3.xduplicateOps. Somebody else already hit that bump
@meirdev

Description

@meirdev
meirdev
opened on May 19, 2026

Hi,

When using chained rules, the match field only contains details about the last rule in the chain:

SecRule REQUEST_HEADERS:User-Agent "@contains curl" "id:1000,msg:'POST with cURL',auditlog,phase:1,deny,t:none,chain"
    SecRule REQUEST_METHOD "@rx POST" "t:none"

Trigger the rule:

curl -X POST http://localhost:8080/hello

Current log message:

Matched "Operator `Rx' with parameter `POST' against variable `REQUEST_METHOD' (Value: `POST' )

Expected log message:

Matched: "Operator `Contains' with parameter `curl' against variable `REQUEST_HEADERS:User-Agent' (Value: `curl/8.5.0' ), "Operator `Rx' with parameter `POST' against variable `REQUEST_METHOD' (Value: `POST' )

Currently, the audit log does not fully represent which conditions caused the chained rule to match.

Metadata

Metadata

Assignees

No one assigned

    Labels

    3.xRelated to ModSecurity version 3.xduplicateOps. Somebody else already hit that bump

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions