httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dwight Tovey" <>
Subject Re: [users@httpd] IIS SEARCH exploit filling my apache2 logs
Date Fri, 16 Jul 2004 15:28:40 GMT

Joshua Slive said:
> On Thu, 15 Jul 2004 20:45:59 -0600 (MDT), Dwight Tovey
> <> wrote:
>> Andrew Hamm said:
>> > The real question is - can I block or at least filter out these SEARCH
>> > requests from the log? Once again, so much doco to get through before
>> I
>> > can start to understand...
>> >
>> I really should add comments to the changes that I make to my config
>> files.  I ran into the same problem some time back.  I don't remember
>> the
>> details about why, but I have the following line in my config file:
>> LogFormat "%h %l %u %t \"%!414r\" %>s %b \"%{Referer}i\"
>> \"%{User-Agent}i\"" combined
>> If I remember correctly, this still logs the hit, but if it caused a
>> '414'
>> error (request too long?), then the body of request is not logged.  Kind
>> of a vague description, but it works for me.  Hopefully it will give you
>> something to look for so that you can narrow your search in the docs.
> Cute idea.  I'd never thought of that, but it should work (although it
> will hide some information that may be useful in debugging).

I remember being a little concerned about losing info when I added that
line, but it hasn't seemed to be a real problem for me in the ~6 months
since I turned it on.  I guess since in this case there isn't really any
use in trying to debug it (the problem is caused by a virus on somebody
elses machine - not much I can do about that), I'm not interested in that

> The things I usually recommend:
> 1. Post-process your logs to get rid of entries you don't want.
> 2. If your system is really incapable of handling log lines that long,
> you should set LimitRequestLine to a lower value in httpd.conf.

I do post-processing, but I also keep a 'screen' session going with 'tail
-f' of the httpd log file so that I can monitor the log in semi-real-time
to make it easy to see if problems arise (I have been able to catch a few
minor problems by doing that).  The obscenely long log lines were blowing
all other log info off the screen.  There may be a better way to do all of
this, but so far it has worked for me and my simple needs.

Dwight N. Tovey
Maturity is only a short break in adolescence.

The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message