Return-Path: Delivered-To: apmail-httpd-dev-archive@www.apache.org Received: (qmail 69462 invoked from network); 29 Dec 2003 20:29:28 -0000 Received: from daedalus.apache.org (HELO mail.apache.org) (208.185.179.12) by minotaur-2.apache.org with SMTP; 29 Dec 2003 20:29:28 -0000 Received: (qmail 98245 invoked by uid 500); 29 Dec 2003 20:29:12 -0000 Delivered-To: apmail-httpd-dev-archive@httpd.apache.org Received: (qmail 98208 invoked by uid 500); 29 Dec 2003 20:29:12 -0000 Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: list-post: Delivered-To: mailing list dev@httpd.apache.org Received: (qmail 98195 invoked from network); 29 Dec 2003 20:29:11 -0000 Received: from unknown (HELO Boron.MeepZor.Com) (204.146.167.214) by daedalus.apache.org with SMTP; 29 Dec 2003 20:29:11 -0000 Received: from wstoddard.com (cpe-024-211-136-205.nc.rr.com [24.211.136.205]) by Boron.MeepZor.Com (8.11.6/8.11.6) with ESMTP id hBTKTHA03896 for ; Mon, 29 Dec 2003 15:29:17 -0500 Message-ID: <3FF08E82.5090403@wstoddard.com> Date: Mon, 29 Dec 2003 15:28:50 -0500 From: Bill Stoddard User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.4) Gecko/20030624 X-Accept-Language: en-us, en MIME-Version: 1.0 To: dev@httpd.apache.org Subject: Re: Forensic Logging References: <3FF02E90.5040009@algroup.co.uk> <3FF060AD.8080206@attglobal.net> <3FF08715.4040204@algroup.co.uk> In-Reply-To: <3FF08715.4040204@algroup.co.uk> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N X-Spam-Rating: minotaur-2.apache.org 1.6.2 0/1000/N Ben Laurie wrote: > Jeff Trawick wrote: > >> Ben Laurie wrote: >> >>> One of the problems that crops up depressingly often is that someone >>> gets owned, and they can't find out why. This is generally because >>> the offending request didn't get logged, because the server died >>> before it logged it. >> >> >> >> far more often than getting owned are the run-of-the-mill crashes, >> where this would save a bit of time too > > > Sure thing. > >>> I propose that we should include this as a standard module. >> >> >> +1 (concept) > > > Excellent, do I hear more? > +1 (concept) >> >>> I think we should also enable it by default. >> >> >> then simply building new Apache with previous configure invocation >> will result in this fresh piece of code inside the server writing >> logs... this doesn't sound very safe to me ;) > > > OK, I live in hope :-) > >> I think you should have to specify a log file name for it to do anything > > > Agreed. > >> and: >> >> 2.1: fine with me if module is built/loaded by default >> >> 1.3, 2.0: I suggest enabling with --enable-modules={most|all} but not >> by default > > > If it does nothing unless a file is specified, why not enable by default? Like Jeff, I am more interested in this for debugging process crashes that are not necessarily related to attacks. Might be useful to enable this function by default in a mode where it records information in an in-process buffer that can easily be sniffed out of a core file (tag the buffer with an eye catcher). Bill