Guides Guide List Quick Apache Logging Guide
| Quick Apache Logging Guide |
Quick Apache Logging Guidev0.1 This work is licensed under a Creative Commons License. 0. TOC and Purpose 0. TOC and PurposeThe need for this howto came about with the massive influx of new IIS exploit and virii. Although they do not real damage, this was absolutely annoying. I could not read the legitimate logs because the virii were filling up my logs with trash. So, in my absolute annoyance, I took it upon my self to write this quick guide. This guide will give a straight-forward look into the proper way to seperate legitimate access logs from junk logs. 1. ChangeLogv0.1 - Initial Howto released. This is very basic and straight to the point. No embellishment added. 2. Apache logs/LogFormatThe access log records all requests processed by the server. The trick to our setup is the use of CustomLog. All the possible variables are detailed in the documentation at httpd.apache.org. I am going to assume that if you want to understand the variables within your logs that you will go and read the very well written documentation. For my logs I used: LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\' %T %v' full This sets up the structure of the access log and also where the access log will be located. You can adjust your logformat however you want it to look. However, having the information in our logs is only the first step in removing the extra "junk logs" which we do not wish to see. However we do not just want to throw away the junk logs, because we could be throwing away valuable information if an exploit did occur. So we will simply split up the logs to solve both of our problems. 3. What do we want to block?The first junk that filled up my log appeared a long while ago. This of course is a WebDav problem in IIS. The Log reads as follows: dyn-greek-###-##.dyn.columbia.edu - - [30/Apr/2004:14:58:34 -0400] "OPTIONS / HTTP/1.1" 200 - This of course was a general annoyance for a while, but I finally got sick of the logs and decided they needed to go. This was accomplished by first finding out that the user-agent was Microsof-WebDAV-MiniRedir. Then i had to create an Env. The second and most egregious junk log that I HAD to get rid of was from another IIS exploit. While i will not past all of the log here (probably because it is hundreds of lines long, it is basically user-######.user.msu.edu - - [30/Apr/2004:13:38:23 -0400] "SEARCH /\x90\x02\xb1\x02\xb1\xx02\xb2\ etc etc. Getting rid of this junk log was a bit more tricky, yet it also relied upon our friend setenvif. 4.SetEnvIfFirst you need to note that you need the setenvif_module. If you do not have it you should go back to the apache documentation and find out how to install it on your system. If you do have it continue reading. The first setenvif is very very simple. SetEnvIf user-agent ^Microsoft-WebDAV-MiniRedir !good Hopefully you can read and understand that this means. Explicitly this says that anyone who tries to access your server with that specific user-agent is set to not "good" (hint the label is arbitrary). Thus for our main access log we could set CustomLog /var/log/apache/access.log full env=good Simply enough, this puts the good logs into the access.log and the junk into junk.log. But this still does not take care of the vile super log Search request. Curiously enough SEARCH is not a valid method, which we can use to our advantage in logging. Although I first try to explicitly deny the method SEARCH in my logs, apache does not recognize the method since it does not exist. So instead I had to decide which methods I WOULD allow and expliticly allow those instead of explicitly denying SEARCH. To do this I added: SetEnvIf Request_Method "GET" good This in addition to my previous Customlog settings fixed my problem and provided me with the proper levels of segregation within my good logs and my junk. 5. ContactThanks for reading. If you have any comments, suggestions or gripes please feel free to send them along. I'm always hungry for feedback. Thanks. Contact me via email at This e-mail address is being protected from spambots. You need JavaScript enabled to view it . |