httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dwight Tovey" <dwi...@dtovey.net>
Subject Re: [users@httpd] IIS SEARCH exploit filling my apache2 logs
Date Fri, 16 Jul 2004 15:28:40 GMT

Joshua Slive said:
> On Thu, 15 Jul 2004 20:45:59 -0600 (MDT), Dwight Tovey
> <dwight@dtovey.net> wrote:
>>
>> Andrew Hamm said:
>
>> > The real question is - can I block or at least filter out these SEARCH
>> > requests from the log? Once again, so much doco to get through before
>> I
>> > can start to understand...
>> >
>>
>> I really should add comments to the changes that I make to my config
>> files.  I ran into the same problem some time back.  I don't remember
>> the
>> details about why, but I have the following line in my config file:
>>
>> LogFormat "%h %l %u %t \"%!414r\" %>s %b \"%{Referer}i\"
>> \"%{User-Agent}i\"" combined
>>
>> If I remember correctly, this still logs the hit, but if it caused a
>> '414'
>> error (request too long?), then the body of request is not logged.  Kind
>> of a vague description, but it works for me.  Hopefully it will give you
>> something to look for so that you can narrow your search in the docs.
>
> Cute idea.  I'd never thought of that, but it should work (although it
> will hide some information that may be useful in debugging).
>

I remember being a little concerned about losing info when I added that
line, but it hasn't seemed to be a real problem for me in the ~6 months
since I turned it on.  I guess since in this case there isn't really any
use in trying to debug it (the problem is caused by a virus on somebody
elses machine - not much I can do about that), I'm not interested in that
info.

> The things I usually recommend:
>
> 1. Post-process your logs to get rid of entries you don't want.
>
> 2. If your system is really incapable of handling log lines that long,
> you should set LimitRequestLine to a lower value in httpd.conf.
>

I do post-processing, but I also keep a 'screen' session going with 'tail
-f' of the httpd log file so that I can monitor the log in semi-real-time
to make it easy to see if problems arise (I have been able to catch a few
minor problems by doing that).  The obscenely long log lines were blowing
all other log info off the screen.  There may be a better way to do all of
this, but so far it has worked for me and my simple needs.

    /dwight
-- 
Dwight N. Tovey
email: dwight@dtovey.net
web: http://www.dtovey.net/~dwight
-----------
Maturity is only a short break in adolescence.


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message