httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jim Riggs <>
Subject Re: [PATCH] mod_log_forensic security considerations
Date Fri, 08 Jun 2012 17:52:54 GMT
On Jun 8, 2012, at 11:51 AM, Graham Leggett wrote:

> On 08 Jun 2012, at 5:45 PM, Joe Schaefer wrote:
>> Well not quite, we'd still have had a problem with storing and archiving
>> those logs even if we hadn't made them available to committers, because
>> they violate our password retention policies.
> Can you clarify if possible what purpose you were trying to solve by enabling the forensic
> Forensic logging is to answer the question "what is going wrong", and shouldn't be enabled
under normal operational circumstances unless there is something genuinely going wrong, at
which point you record what you need and then switch it off again.
> A forensic log that has had a whole lot of filters applied to it is counterproductive,
because the forensic log no longer tells you exactly what is going on, and when you're troubleshooting
you need to know precisely that.

In my situation, we have them enabled so that when an issue arises, we have one more tool
at our disposal to identify a root cause. When I get an alert that there is something wrong
with one of our sites, it is usually too late to enable forensic logging at that point. Something
has already happened. We need to mitigate and get everything back up to normal. The question
is usually not "what IS going wrong?", but rather "what WENT wrong?", because it is often
a short-lived event.

Having the forensic logs available has proven extremely helpful in this scenario. Might the
full, unfiltered forensic data be valuable? Yes, but I don't believe the security risk is
worth it in my situation. The rare case where an Authorization header might be truly useful
for debugging or RCA is vastly overshadowed by the usefulness of the rest of the request information
stored in the forensic log.

The key to the forensic log, obviously, is that we have some information about an incoming
request before it is completed. We can't get this information from any of the standard or
custom logs, and we don't have any control over the format. Perhaps, just like we have LogFormat
and now ErrorLogFormat, we should have ForensicLogFormat? If we did, then everyone could have
what they want/need, whether full or partial forensic data.

- Jim

View raw message