On Thursday 28 January 2010 07:52:05 Michael A. Capone wrote:
> We currently use a 3rd party security company to do a nessus-type
> security audit on our site for PCI compliance. Their scans naturally
> generate a lot of noise in the error log, to the point that legitimate
> site errors are lost in the forest. What I'm hoping to find / create is
> some kind of mechanism that can pre-empt writing to the error log and
> either 1) ideally, don't log if the client IP is xxx.xxx.xxx.xxx, or 2)
> always log the client IP address with each error, which will enable us
> to filter those out manually after the fact. Either solution is
> acceptable.
>
> Apache provides a trivial solution for the access_log, in the form of:
>
> SetEnvIf Remote_Addr xxx.xxx.xxx.* nolog
>
> ... however, that solution does not extend to the error log. I'm hoping
> there's a mod_perl "hook" that can allow me to change apache's error
> logging behaviour to what I need it to be.
>
There is an error_log hook in apache:
error_log
declared in ./include/http_log.h
implemented in ./server/log.c
type is VOID
void error_log(const char *file, int line, int level, apr_status_t status,
const server_rec *s, const request_rec *r, apr_pool_t *pool, const char
*errstr)
It is run at the end of log_error_core(). That means the error is already
logged.
But perhaps you can set ErrorLog to /dev/null and implement your own logging
using that hook.
That is where I would start.
Torsten
|