diff --git a/bin/jabali-agent b/bin/jabali-agent
index 1c143c2..c464dbd 100755
--- a/bin/jabali-agent
+++ b/bin/jabali-agent
@@ -776,11 +776,7 @@ function wafAuditLogList(array $params): array
             continue;
         }
 
-        if (preg_match('/^host:\s*(.+)$/i', $line, $matches)) {
-            $current['host'] = trim($matches[1]);
-            continue;
-        }
-        if (preg_match('/^Host:\s*(.+)$/', $line, $matches)) {
+        if (preg_match('/^\s*host:\s*(.+)$/i', $line, $matches)) {
             $current['host'] = trim($matches[1]);
             continue;
         }
@@ -835,7 +831,18 @@ function wafAuditLogList(array $params): array
             }
         }
         if (preg_match('/\\[hostname "([^"]+)"\\]/', $line, $matches)) {
-            $entry['host'] = $matches[1];
+            $loggedHost = $matches[1];
+            $currentHost = (string) ($entry['host'] ?? '');
+            $remoteIp = (string) ($entry['remote_ip'] ?? '');
+            $shouldOverrideHost = $currentHost === ''
+                || $currentHost === $remoteIp
+                || $currentHost === '127.0.0.1'
+                || $currentHost === '::1'
+                || $currentHost === 'localhost';
+
+            if ($shouldOverrideHost && $loggedHost !== '') {
+                $entry['host'] = $loggedHost;
+            }
         }
 
         if (str_contains($line, 'Access denied')) {