feat: add USE_EXTENDED_LOGFORMAT support for Apache variants

[Copilot]

Adds opt-in support for the extended Apache log format — which surfaces ModSecurity anomaly scores, timing breakdowns, SSL details, and more — via a new USE_EXTENDED_LOGFORMAT variable. Only applies to apache and apache-alpine; nginx does not support the required env variable expansions.

Changes

• apache/Dockerfile / apache/Dockerfile-alpine: Add USE_EXTENDED_LOGFORMAT=false ENV default
• apache/docker-entrypoint.sh: When USE_EXTENDED_LOGFORMAT=true, override APACHE_LOGFORMAT before Apache starts so httpd-modsecurity.conf's LogFormat ${APACHE_LOGFORMAT} modsec picks up the extended format
• README.md: Document new variable under Apache ENV Variables

Usage

docker run -e USE_EXTENDED_LOGFORMAT=true owasp/modsecurity-crs:apache

Resulting log format:

%h %{GEOIP_COUNTRY_CODE}e %u [%{%Y-%m-%d %H:%M:%S}t.%{usec_frac}t] "%r" %>s %b
"%{Referer}i" "%{User-Agent}i" "%{Content-Type}i" %{remote}p %v %A %p %R
%{BALANCER_WORKER_ROUTE}e %X "%{cookie}n" %{UNIQUE_ID}e %{SSL_PROTOCOL}x %{SSL_CIPHER}x
%I %O %{ratio}n%% %D %{ModSecTimeIn}e %{ApplicationTime}e %{ModSecTimeOut}e
%{ModSecAnomalyScoreInPLs}e %{ModSecAnomalyScoreOutPLs}e
%{ModSecAnomalyScoreIn}e %{ModSecAnomalyScoreOut}e

Setting USE_EXTENDED_LOGFORMAT=true takes precedence over any custom APACHE_LOGFORMAT value.

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Consider using extended format for logging</issue_title>
<issue_description>@dune73 suggested to use the extended log format as described here: https://www.netnea.com/cms/apache-tutorial-5_extending-access-log/#step_4_configuring_the_new,_extended_log_format.
Variables are described here: https://www.netnea.com/cms/apache-tutorial-6_embedding-modsecurity/#step_5_creating_the_base_configuration.

LogFormat "%h %{GEOIP_COUNTRY_CODE}e %u [%{%Y-%m-%d %H:%M:%S}t.%{usec_frac}t] \"%r\" %>s %b \
\"%{Referer}i\" \"%{User-Agent}i\" \"%{Content-Type}i\" %{remote}p %v %A %p %R \
%{BALANCER_WORKER_ROUTE}e %X \"%{cookie}n\" %{UNIQUE_ID}e %{SSL_PROTOCOL}x %{SSL_CIPHER}x \
%I %O %{ratio}n%% %D %{ModSecTimeIn}e %{ApplicationTime}e %{ModSecTimeOut}e \
%{ModSecAnomalyScoreInPLs}e %{ModSecAnomalyScoreOutPLs}e \
%{ModSecAnomalyScoreIn}e %{ModSecAnomalyScoreOut}e" extended

If we do this, I suggest also updating the nginx log format to match this.</issue_description>

<agent_instructions>Add the new LogFormat as suggested by theseion, but only for apache and apache-alpine. Pass a variable like USE_EXTENDED_LOGFORMAT set to false initially so that users can select the new format. Update the README with the new variable.</agent_instructions>

Comments on the Issue (you are @copilot in this section)

@dune73 Nginx does not allow you to display arbitrary env variables in the logfile. About half of the useful information above can not be displayed via nginx. A workaround is to display the info via ModSec alert messages. The reporting level introduced in CRS v4 allows that to a certain extent, but does not come close to the logfile above.

Example production log with the format above:

https://www.netnea.com/files/tutorial-5-example-access.log

Please notice that the %{ApplicationTime}e is empty in the example.

Aliases supporting extraction of arbitrary columns: https://raw.githubusercontent.com/Apache-Labor/labor/master/bin/.apache-modsec.alias</comment_new>

• Fixes Consider using extended format for logging #97

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[fzipi]

@theseion Does this make sense? Or we prefer an approach similar to the one used in METRICSLOG?

[theseion]

I don't know what you mean by "similar to the one used by METRICSLOG". The only difference is that the metrics log format is configurable, but then, it's also a dedicated directive, whereas this new variable would override APACHE_LOG_FORMAT.

I think it's a good idea but I would call the variable something else, that makes it clear that this is a format optimized for ModSecurity log analysis, e.g., USE_FOLINIS_MODSEC_LOGFORMAT.