From fe39ffb8b90ae4e002ed73fe98617cd590abb467 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Sat, 27 Apr 2024 08:33:50 +0200 Subject: Adding upstream version 2.4.56. Signed-off-by: Daniel Baumann --- docs/manual/mod/mod_log_forensic.html.en | 196 +++++++++++++++++++++++++++++++ 1 file changed, 196 insertions(+) create mode 100644 docs/manual/mod/mod_log_forensic.html.en (limited to 'docs/manual/mod/mod_log_forensic.html.en') diff --git a/docs/manual/mod/mod_log_forensic.html.en b/docs/manual/mod/mod_log_forensic.html.en new file mode 100644 index 0000000..c7b535b --- /dev/null +++ b/docs/manual/mod/mod_log_forensic.html.en @@ -0,0 +1,196 @@ + + + + + +mod_log_forensic - Apache HTTP Server Version 2.4 + + + + + + + +
+

Modules | Directives | FAQ | Glossary | Sitemap

+

Apache HTTP Server Version 2.4

+
+
<-
+ +
+

Apache Module mod_log_forensic

+
+

Available Languages:  en  | + fr  | + ja  | + tr 

+
+ + + + +
Description:Forensic Logging of the requests made to the server
Status:Extension
Module Identifier:log_forensic_module
Source File:mod_log_forensic.c
Compatibility:mod_unique_id is no longer required since +version 2.1
+

Summary

+ +

This module provides for forensic logging of client + requests. Logging is done before and after processing a request, so the + forensic log contains two log lines for each request. + The forensic logger is very strict, which means:

+ +
    +
  • The format is fixed. You cannot modify the logging format at + runtime.
    • +
  • If it cannot write its data, the child process + exits immediately and may dump core (depending on your + CoreDumpDirectory + configuration).
    • +
+ +

The check_forensic script, which can be found in the + distribution's support directory, may be helpful in evaluating the + forensic log output.

+
+ +
top
+
+

Forensic Log Format

+

Each request is logged two times. The first time is before it's + processed further (that is, after receiving the headers). The second log + entry is written after the request processing at the same time + where normal logging occurs.

+ +

In order to identify each request, a unique request ID is assigned. + This forensic ID can be cross logged in the normal transfer log using the + %{forensic-id}n format string. If you're using + mod_unique_id, its generated ID will be used.

+ +

The first line logs the forensic ID, the request line and all received + headers, separated by pipe characters (|). A sample line + looks like the following (all on one line):

+ +

+ +yQtJf8CoAB4AAFNXBIEAAAAA|GET /manual/de/images/down.gif + HTTP/1.1|Host:localhost%3a8080|User-Agent:Mozilla/5.0 (X11; + U; Linux i686; en-US; rv%3a1.6) Gecko/20040216 + Firefox/0.8|Accept:image/png, etc... +

+ +

The plus character at the beginning indicates that this is the first log + line of this request. The second line just contains a minus character and + the ID again:

+ +

+ -yQtJf8CoAB4AAFNXBIEAAAAA +

+ +

The check_forensic script takes as its argument the name + of the logfile. It looks for those +/- ID pairs + and complains if a request was not completed.

+
top
+
+

Security Considerations

+

See the security tips + document for details on why your security could be compromised + if the directory where logfiles are stored is writable by + anyone other than the user that starts the server.

+

The log files may contain sensitive data such as the contents of + Authorization: headers (which can contain passwords), so + they should not be readable by anyone except the user that starts the + server.

+
+
top
+

ForensicLog Directive

+ + + + + + +
Description:Sets filename of the forensic log
Syntax:ForensicLog filename|pipe
Context:server config, virtual host
Status:Extension
Module:mod_log_forensic
+

The ForensicLog directive is used to + log requests to the server for forensic analysis. Each log entry + is assigned a unique ID which can be associated with the request + using the normal CustomLog + directive. mod_log_forensic creates a token called + forensic-id, which can be added to the transfer log + using the %{forensic-id}n format string.

+ +

The argument, which specifies the location to which + the logs will be written, can take one of the following two + types of values:

+ +
+
filename
+
A filename, relative to the ServerRoot.
+ +
pipe
+
The pipe character "|", followed by the path + to a program to receive the log information on its standard + input. The program name can be specified relative to the ServerRoot directive. + +

Security:

+

If a program is used, then it will be run as the user who + started httpd. This will be root if the server was + started by root; be sure that the program is secure or switches to a + less privileged user.

+
+ +

Note

+

When entering a file path on non-Unix platforms, care should be taken + to make sure that only forward slashes are used even though the platform + may allow the use of back slashes. In general it is a good idea to always + use forward slashes throughout the configuration files.

+
+
+ +
+
+
+

Available Languages:  en  | + fr  | + ja  | + tr 

+
top

Comments

Notice:
This is not a Q&A section. Comments placed here should be pointed towards suggestions on improving the documentation or server, and may be removed by our moderators if they are either implemented or considered invalid/off-topic. Questions on how to manage the Apache HTTP Server should be directed at either our IRC channel, #httpd, on Libera.chat, or sent to our mailing lists.
+
+ \ No newline at end of file -- cgit v1.2.3