Re: [users@httpd] strange encoded requests coming in to my server - like'

[Yehuda Katz <ye...@ymkatz.net>]

On Tue, May 31, 2011 at 10:35 AM, Jason Vas Dias
<ja...@gmail.com>wrote:

> But I had the impression from reading the documentation that the
> "access_log" was to
> record actual ACCESSes , ie.  for requests that at least pass the "is a
> valid HTTP request" test ,
> and that non-requests, if logged at all, should appear only in the
> error_log .
>
A request that returns a 404 (or any other error code) is still a valid
request. HTTPD can not return an error response if there was no request for
it.


> Indeed,  for every such bad request received, I see error log entries like
> :
>
> [Tue May 31 07:11:22 2011] [error] [client 117.241.90.130] Invalid method
> in request
> \xb6\xb3\xde\xa9\xb4q&\x1c\xe1\xb4eX"7\xf1\xb4\x82\xd9\xd3\xce\x95\xf9|\x8f\xde\xb7\x1a\xe6\x92G3\xe84\x10]`\xc3
>
> so this is definitely "not a request" - I wouldn't have expected anything
> about this event in the
> access log, because no "access" to anything resulted from this event .
>

Anyone who does log analysis (read Awstats or similar) can tell you how
important the errors in the access log are.
The error log is free-form; any part of the web server, including plugins,
can write to it and they don't use the same format. This makes the log file
very hard if not impossible to parse by machine.
The access log is only written to in the specific format defined in the
configuration, which makes it easy to parse because evey line can be
expected to have the same format.