Re: [users@httpd] Apache access logs

[Ishita Kapadiya <is...@gmail.com>]

Hi All,

Can someone please provide any insight on the problem? Looks like I am
getting so many different patterns in IP field in ssl access logs -

-c=,\vJ\xf3\xa6\xe1=N)f\xbe\xa8; - - [15/Apr/2012:10:28:36 -0400] "GET
xxx HTTP/1.1" 304 -
-Alive - - [15/Apr/2012:20:18:48 -0400] "GET xxx HTTP/1.1" 200 1223
-:\xe0pXPCj\xd6\xdf,\xcd\xd3\x01>\b - user [17/Apr/2012:16:17:58
-0400] "GET xxx HTTP/1.1" 304 -
-Alive - 501358569 [18/Apr/2012:13:21:51 -0400] "GET xxx HTTP/1.1" 200 94991
-127e-4f8f0b1f-001c-2dec3d85 - user [18/Apr/2012:14:42:39 -0400] "GET
xxx HTTP/1.1" 304 -

See the first column. I am not sure what's causing such entries to
present in the logs. Also, such entries present only in ssl access log
and not the port 80 access logs. (this instance is listening on both
port 80 & 443)

On Wed, Apr 25, 2012 at 2:46 PM, Ishita Kapadiya <is...@gmail.com> wrote:
> Thanks Tom. I can see opportunity to use %a instead of %h in log
> format. However, we are using the same (%h) since long with
> HostnameLookups Off but never had seen such entries in access logs
> (*/* instead of IP)
>
> Also, i am using 'common' log format for access log. please find below
> config from my server -
>
> LogFormat "%h %l %{foo}i %t \"%r\" %>s %b" common
> CustomLog "logs/access_log" common
>
> Please let me know if you have any idea about those entries in logs.
>
> Thanks
>
> On Wed, Apr 25, 2012 at 12:14 PM, Tom Evans <te...@googlemail.com> wrote:
>> On Wed, Apr 25, 2012 at 4:54 PM, Ishita Kapadiya <is...@gmail.com> wrote:
>>> Hi All,
>>>
>>> I am using apache 2.2.22.
>>>
>>> We are seeing some weird behavior in Apache access logs. I have
>>> following line in httpd.conf -
>>>
>>> LogFormat "%h %l %i %t \"%r\" %>s %b" common
>>>
>>> now the log should look like - 64.39.111.58 - - [25/Mar/2012:11:08:48
>>> -0400] "GET /abc.html HTTP/1.1" 200 251 (all looks good so far)
>>>
>>> The problem - even though i can see such logs in 90% of the cases
>>> there are lots of entries similar to -
>>>
>>> */* - - [25/Mar/2012:11:08:48 -0400] "GET /abc.html HTTP/1.1" 200 251
>>> */200 - - [25/Mar/2012:11:08:48 -0400] "GET /abc.html HTTP/1.1" 200 251
>>>
>>> Note that the first field...
>>>
>>> I have set HostnameLookups Off in my config.
>>> Can anyone tell what could be the reason for such entries or at least
>>> what such entries mean?
>>>
>>> Thanks!
>>>
>>
>> Are you sure this is the format being applied? LogFormat simply
>> defines a format, it doesn't necessarily need to be used.
>>
>> Another possibility is that you have two CustomLog directives pointing
>> at the same file but with different formats.
>>
>> I also don't understand why you are using %h (remote host) with host
>> lookups turned off. If you want the remote IP address, why not use %a
>> (remote IP address).
>>
>> BTW, your use of %i is meaningless. %i is used to extract a header;
>> you never specify a header name, eg '%{FOOBAR}i'. %i by itself will
>> always result in a '-'.
>>
>> Cheers
>>
>> Tom
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org