Logging or not logging 408's

[Dan Poirier <po...@pobox.com>]

Apache 1.3 logged a 408 in the access log if a connection was received
but no request was received before the timeout.

Apache 2.x does not.  If a partial request is received, a 400 is logged,
but if nothing is received, it silently closes the connection when it
times out.

Logging of 408's might be useful to notice if someone is making
malicious requestless connections to attack the server, and identifying
the IP address of the client.  

Is there some good reason not to log the 408's in this case?

(This is also mentioned in PR39785,
https://issues.apache.org/bugzilla/show_bug.cgi?id=39785)

Thanks,

-- 
Dan Poirier <po...@pobox.com>

Re: Logging or not logging 408's

[Stefan Fritsch <sf...@sfritsch.de>]

On Monday 28 September 2009, Dan Poirier wrote:
> Is there some good reason not to log the 408's in this case?

I am +1 for logging the 408's. I also think in case of a timeout, 408 
should be logged instead of 400. The attached patch does that.

RE: Logging or not logging 408's

["Plüm, Rüdiger, VF-Group" <ru...@vodafone.com>]

 

> -----Original Message-----
> From: Dan Poirier [mailto:poirier@pobox.com] 
> Sent: Montag, 28. September 2009 17:22
> To: dev@httpd.apache.org
> Subject: Logging or not logging 408's
> 
> Apache 1.3 logged a 408 in the access log if a connection was received
> but no request was received before the timeout.
> 
> Apache 2.x does not.  If a partial request is received, a 400 
> is logged,
> but if nothing is received, it silently closes the connection when it
> times out.

If nothing is received httpd won't even notice on some platforms due
to BSD accept filters or TCP_DEFER_ACCEPT on Linux. This means a 408 cannot
be logged here in general. But I admit that even on those systems there might
be cases where the socket was passed to httpd and no 400 is logged.
On this case it might make sense to adjust the logging behaviour accordingly.

Regards

Rüdiger