We Keep Coding

Random chars appearing in Apache access logs

We are seeing random letters appear in access logs. The requests 404 since the content does not exist. The requests are made by a variety of users and other requests from the same ip usually look genuine. There is no way to request these from the site. Some of these requests even appear from internal traffic on our network.
Example:
157.203.177.191 - - [04/Feb/2018:23:51:20 +0000] "GET /VLTRP/content/dam/example/dotcom/images/ABtest/existing-customer-thumb.jpg HTTP/1.1" 404 60294 39082 "http://www.example.com/shop.html" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0" 2
Without the /VLTRP this is a genuine request. Has anyone seen something similar before?
For info we are running Apache/2.2.15 (Unix) with ModSec enabled. We do see similar behaviour on another site where we do not have ModSec configured. We see similar requests for internal, external and bot traffic.

Lighttpd mod_accesslog cannot display Request_URI with custom error pages

I need some help to customize my access log on Lighttpd 1.4.28. So far I have been able to modify the configuration to display the date in a strftime(3) format. The default date format is just way too long. Here are the relevant lines from /etc/lighttpd/lighttpd.conf
accesslog.format = "%s [%{%d%b-%H:%M}t] %h %b %U * %{From}i|%{Via}i|%{Referer}i *
accesslog.filename = "/web/lighttpd_access.log"
And here is my access.log entry:
404 [24Aug-16:55] 98.68.178.112 345 /phpMyAdmin/scripts/setup.php * -|-|- * "Mozilla/5.0 (X11; Linux i686) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.215 Safari/535.1"
Customizing the date was not hard, but I ran into a problem trying to display request URL while simultaneously using custom 404 pages. I just added
server.error-handler-404 = "/error.html"
to the lighttpd.conf file, and the lighttpd_access.log now contains redirected /error.html, instead of the full url of the request that generated the error.
200 [24Aug-16:06] 98.68.178.112 1 /error.html * -|-|- * "Mozilla/5.0 (X11; Linux i686) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.215 Safari/535.1"
I have also tried adding %{Request_URI}i, but the log entry was - blank. Anyone knows the correct syntax to use when trying to display the original request URL in conjunction with custom 404 pages?

This isn't an exact fix to your issue but if your goal is just to find out what URLs are broken - use a PHP file instead for your error handler -- you can still redirect to error.html (if you so wish)
lighttpd.conf:
server.error-handler-404 = "/error.php"
error.php:
<?
$brokenpath = $_SERVER["REQUEST_URI"]."\n";
$out = fopen("/foo/bar/404.txt", "a"); // save broken urls here
fputs($out, $brokenpath);`
fclose($out);
header("Location: http://domain.com/error.html");
?>

Apache Logging PHP Requests

i want log in my accesslog the full urls not just this.
127.0.0.1 - - [07/May/2011:20:19:48 +0200] "GET /test/index1.php HTTP/1.1" 200 31333 "-" "Mozilla/5.0 (Windows NT 6.0; rv:2.0) Gecko/20100101 Firefox/4.0"
i want log for example:
/test/index.php?page=10 or I use also mod rewrite than it would be /test/Page/100
is this possible?
On my server is running Apache / PHP 5
Thank you for your help.

Use the LogFormat directive to specify the exact format that you want. The parameter for the query string is %q

Fixing mistakes reading logs

I have huge 1 GB log file. As I know, it shows errors in my site. But I absolutely don't get it.
I have lots of rows like this:
8x.xxx.45.10x (my ip) - - [04/Feb/2011:09:59:48 -0500] "GET /post?slaps=bbrfd HTTP/1.1" 404 278 "http://mywebsite.com/" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.86 Safari/534.13"
What does it mean?
Thank you very much.

That entry indicates that a request for /post?slaps=bbrfd on your site was not found (404). The request came from your IP, transferred 278 bytes of data (the 404 error page's contents). The link that couldn't be found was clicked on mywebsite.com, and the rest is how the browser identified itself. The two dashes are for "remote username", and "username as logged into the site". The remote username is VERY rarely present, as it requires the remote site running identd and would slow down your site massively.

Looks like an access log file from Apache. Nothing to do with PHP or MySQL. Looks the user got a 404 page when trying to access /post?slaps=bbrfd
This would suggest the URL does not exist.

How to fix apache2 timestamps, incorrect values

When I restart my apache2 and reload a page, the log file shows
boogie.tontut.fi - - [28/Oct/2008:03:27:49 +0200] "GET /test HTTP/1.1" 404 457 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.3) Gecko/2008092417 Firefox/3.0.3"
...as supposed to, as it's 03:27:49 now. However, when I click the refresh button again, the new log entry is:
boogie.tontut.fi - - [27/Oct/2008:21:27:52 -0400] "GET /test HTTP/1.1" 404 457 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.3) Gecko/2008092417 Firefox/3.0.3"
Offset has changed from +0200 to -0400 and I have no clue where this comes from.
How can I start troubleshooting this problem?

sudo vim /etc/php5/apache2/php.ini
Add time zone
date.timezone="Europe/London"
restart apache2
/etc/init.d/apache2 restart

Try and set your timezone explicitly in the httpd.conf:
SetEnv TZ GMT+2

Maybe looking at the system call would help; on Unix its gettimeofday and on Windows its GetSystemTime.

Isn't it possible that something that runs in apache is changing locale settings in its environment?
Something like:
First reload: log message GMT+2
Apache runs /weird_script.php that calls some kind of setlocale()
Second reload, new enviroment setting in effect, results in log message GMT-4