Consider using extended format for logging

[theseion]

@dune73 suggested to use the extended log format as described here: https://www.netnea.com/cms/apache-tutorial-5_extending-access-log/#step_4_configuring_the_new,_extended_log_format.
Variables are described here: https://www.netnea.com/cms/apache-tutorial-6_embedding-modsecurity/#step_5_creating_the_base_configuration.

LogFormat "%h %{GEOIP_COUNTRY_CODE}e %u [%{%Y-%m-%d %H:%M:%S}t.%{usec_frac}t] \"%r\" %>s %b \
\"%{Referer}i\" \"%{User-Agent}i\" \"%{Content-Type}i\" %{remote}p %v %A %p %R \
%{BALANCER_WORKER_ROUTE}e %X \"%{cookie}n\" %{UNIQUE_ID}e %{SSL_PROTOCOL}x %{SSL_CIPHER}x \
%I %O %{ratio}n%% %D %{ModSecTimeIn}e %{ApplicationTime}e %{ModSecTimeOut}e \
%{ModSecAnomalyScoreInPLs}e %{ModSecAnomalyScoreOutPLs}e \
%{ModSecAnomalyScoreIn}e %{ModSecAnomalyScoreOut}e" extended

If we do this, I suggest also updating the nginx log format to match this.

[dune73]

Nginx does not allow you to display arbitrary env variables in the logfile. About half of the useful information above can not be displayed via nginx. A workaround is to display the info via ModSec alert messages. The reporting level introduced in CRS v4 allows that to a certain extent, but does not come close to the logfile above.

Example production log with the format above:

https://www.netnea.com/files/tutorial-5-example-access.log

Please notice that the %{ApplicationTime}e is empty in the example.

Aliases supporting extraction of arbitrary columns: https://raw.githubusercontent.com/Apache-Labor/labor/master/bin/.apache-modsec.alias