Mailing Lists: Apple Mailing Lists
Image of Mac OS face in stamp
 
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

forensic logging

Here is a little known module that has been available for a while but seldom used or talked about and it's already installed on 10.3 and possibly 10.2.x (I haven't confirmed 10.2.8).

mod_log_forensic.so

This module provides forensic logging of the requests made to the server

Status: Extension
Source File: mod_log_forensic.c
Module Identifier: log_forensic_module
Compatibility: Available in Version 1.3.30 and later.

Summary

This module provides for forensic logging of client requests. Logging is done before and after processing a request, so the forensic log contains two log lines for each request. The forensic logger is very strict, which means:

* The format is fixed. You cannot modify the logging format at runtime.
* If it cannot write its data, the child process exits immediately and may dump core (depends on your CoreDumpDirectory configuration).


The check_forensic script, which can be found in the distribution's support directory (or at http://cvs.apache.org/viewcvs.cgi/*checkout*/apache-1.3/src/support/check_forensic), may be helpful in evaluating the forensic log output.

______________________________________________________

MAKING IT WORK

in /etc/httpd/httpd.conf

find:
LoadModule config_log_module libexec/httpd/mod_log_config.so


immediately following add:
#LoadModule log_forensic_module libexec/httpd/mod_log_forensic.so

find:
AddModule mod_log_config.c


immediately following add:
#AddModule mod_log_forensic.c

NOTE:
MAKE SURE THAT 'mod_unique_id" PRECEDES 'mod_log_config' IN THE 'LoadModule' and 'AddModule' ENTRIES and is enabled.


find:
LogFormat "%{User-agent}i" agent

immediately following add:
<IfModule mod_log_forensic.c>
LogFormat "[%{forensic-id}n] %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" forensic-combined
LogFormat "[%{forensic-id}n] %h %l %u %t \"%r\" %>s %b" forensic-common
LogFormat "[%{forensic-id}n] %{Referer}i -> %U" forensic-referer
LogFormat "[%{forensic-id}n] %{User-agent}i" forensic-agent
</IfModule>


______________________________________________________

For any site you wish to enable forensic logging, add the following to the site conf file:
(replace {sitename} with the hostname for site identification)

<IfModule mod_log_forensic.c>
ForensicLog "/var/log/httpd/{sitename]_forensic_log"
</IfModule>

If you enable the module in SA, you will have additional log options in the pull-down menu that will take advantage of the extra options if you with to add them to the regular log as a means of tracking the offensive callers.

No additional handlers are required to roll the log, this will be taken care of by the regular log roll routine looking after the files in this folder.

-- Dale
 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Macos-x-server mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/macos-x-server/email@hidden

This email sent to email@hidden
References: 
 >Server Temperatures (From: Andrew Hankinson <email@hidden>)



Visit the Apple Store online or at retail locations.
1-800-MY-APPLE

Contact Apple | Terms of Use | Privacy Policy

Copyright © 2007 Apple Inc. All rights reserved.