i want log in my accesslog the full urls not just this.
127.0.0.1 - - [07/May/2011:20:19:48 +0200] "GET /test/index1.php HTTP/1.1" 200 31333 "-" "Mozilla/5.0 (Windows NT 6.0; rv:2.0) Gecko/20100101 Firefox/4.0"
i want log for example:
/test/index.php?page=10 or I use also mod rewrite than it would be /test/Page/100
is this possible?
On my server is running Apache / PHP 5
Thank you for your help.
Use the LogFormat directive to specify the exact format that you want. The parameter for the query string is %q
Related
I am hosting a small test website in ec2 and there should be only 2-3 test users with valid login to my server. However, I am seeing a lot of junk logs in my apache access_log(
/var/log/httpd/access_log):
198.2.208.231 - - [13/Dec/2013:21:11:07 +0000] "GET http://ib.adnxs.com/ttj?id=1995383&position=above HTTP/1.0" 302 - "http://www.minbusiness.net/?p=611" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/533.18.1 (KHTML, like Gecko) Version/5.0 Safari/533.16"
173.234.32.69 - - [13/Dec/2013:21:11:07 +0000] "GET http://ads.creafi-online-media.com/st?ad_type=iframe&ad_size=728x90,468x60§ion=5172215&pub_url=${PUB_URL} HTTP/1.0" 302 - "http://lookfashionstyle.com/index.php?option=com_content&view=category&layout=blog&id=42&Itemid=98&limitstart=24" "Mozilla/4.0 (compatible; MSIE 6.0; WINDOWS; .NET CLR 1.1.4322)"
198.136.31.98 - - [13/Dec/2013:21:11:07 +0000] "GET http://ad.tagjunction.com/st?ad_type=ad&ad_size=468x60§ion=4914662&pub_url=${PUB_URL} HTTP/1.0" 302 - "http://www.benzec.com" "Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.9.0.13) Gecko/2009073022 Firefox/3.0.13"
....
Not exactly sure what's going on... Am I being attacked?
thanks!
One possibility is that your server is configured as an open proxy and some ad scams are proxying traffic through it to hide their real origin.
There is alot of bots around the web attempting all kinds of exploits,
I spawned my web server just yesterday and already received lots of spamming/exploit attempts. Like the ones in the thread I've just created ( and not only, quite a few others.. Cloudflare is helping but it doesn't catch it all, at least not in the free version, which is what I am using to get some protection):
Exploit Attempts in nginx access log, Some logs without IP, what to do about it?
This is an addition to: Understanding Apache's access log
I have an Apache log file with the following (this is from an example data set on the Splunk website):
178.19.3.35 - - [19/Oct/2013:15:23:00] "GET /flower_store/product.screen?product_id=FL-DLH-02 HTTP/1.1" 200 10582 "http://mystore.splunk.com/flower_store/category.screen?category_id=CANDY&JSESSIONID=SD3SL8FF9ADFF9" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.10) Gecko/20070223 CentOS/1.5.0.10-0.1.el4.centos Firefox/1.5.0.10" 2258 3329
What is not explained in the above post or in the Apache log help is the 2258 3329 at the very end of this block. What do those numbers mean?
Log file format can be customized in almost any way, so the only way to be sure what those numbers might mean is to check the server configuration.
Open httpd.conf
Find LogFormat
Check Format Strings for the meaning
I have a XAMPP installation on Windows 2008 R2 that I have to support. The facts are these:
The computer has 3 IP addresses (25, 59 and 130, each 192.168.43.)
Apache and IIS need to run side by side (IIS is used for application pools)
The apache is configured to listen only on IP 25
Accessing any of the other IP addresses yields a message from the apache
The following configuration files have been adapted to the IP address listen/bind change (from the default installation):
httpd.conf lists "Listen 192.168.43.25:80"
httpd.conf lists "ServerName 192.168.43.25:80"
extra/httpd-ssl.conf lists "Listen 192.168.43.25:443"
I have no explanation for this behaviour. Whenever I access one of the other IP addresses, I get the following lines in the "access.log":
192.168.43.130 - - [25/Apr/2012:11:41:47 +0200] "GET / HTTP/1.1" 302 - "-" "Mozilla/5.0 (Windows NT 6.0; rv:11.0) Gecko/20100101 Firefox/11.0"
192.168.43.130 - - [25/Apr/2012:11:41:47 +0200] "GET /xampp/ HTTP/1.1" 403 1371 "-" "Mozilla/5.0 (Windows NT 6.0; rv:11.0) Gecko/20100101 Firefox/11.0"
I'm not sure what to make of this. I'm pretty sure that this is my fault, that I somehow do not get the configuration, yet it seems straight forward correct.
Please help me. Thank you. I'll try to answer any questions in a matter of minutes.
We run a service on JBoss. Sometimes we receive requests that have params completely decoded. Below are the apache access log entries. Look at the redirect_url params in following urls. For such urls to work the params need to be encoded. Urls that we post are encoded. Either somebody is explicitly decoding stuff before it reaches us, some faulty browser plug-in etc or our server is doing something we do not understand.
78.150.249.12 - - [30/Apr/2009:19:44:58 +0000] "HEAD /r/?client_id=2&redirect_url=http://www.amazon.co.uk/gp/search?ie=UTF8&keywords=William+Kentridge&search-alias=stripbooks&tag=inhouse3408608&token=3to08p0nn54916kfc000db5gmf HTTP/1.1" 400 - "-" "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
78.150.249.12 - - [30/Apr/2009:19:44:58 +0000] "GET /r/?client_id=2&redirect_url=http://www.amazon.co.uk/gp/search?ie=UTF8&keywords=William+Kentridge&search-alias=stripbooks&tag=inhouse3408608&token=3to08p0nn54916kfc000db5gmf HTTP/1.1" 400 965 "-" "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
The HEAD/GET pattern looks like a web accelerator plugin/proxy of some kind - HEAD-ing a link to see if it exists/is modified and then fetching it. Assuming you don't have some other web server in front of your JBoss, then it's unlikely to be your fault.
Also, I don't think that's actually a real user-agent string (real IE6 UAs on XP generally send their CLR version as well), which would support the theory that it's a broken proxy server.
When I restart my apache2 and reload a page, the log file shows
boogie.tontut.fi - - [28/Oct/2008:03:27:49 +0200] "GET /test HTTP/1.1" 404 457 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.3) Gecko/2008092417 Firefox/3.0.3"
...as supposed to, as it's 03:27:49 now. However, when I click the refresh button again, the new log entry is:
boogie.tontut.fi - - [27/Oct/2008:21:27:52 -0400] "GET /test HTTP/1.1" 404 457 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.3) Gecko/2008092417 Firefox/3.0.3"
Offset has changed from +0200 to -0400 and I have no clue where this comes from.
How can I start troubleshooting this problem?
sudo vim /etc/php5/apache2/php.ini
Add time zone
date.timezone="Europe/London"
restart apache2
/etc/init.d/apache2 restart
Try and set your timezone explicitly in the httpd.conf:
SetEnv TZ GMT+2
Maybe looking at the system call would help; on Unix its gettimeofday and on Windows its GetSystemTime.
Isn't it possible that something that runs in apache is changing locale settings in its environment?
Something like:
First reload: log message GMT+2
Apache runs /weird_script.php that calls some kind of setlocale()
Second reload, new enviroment setting in effect, results in log message GMT-4