selective logging problems with setenvif, request_URI

[peterg22]

I run an Apache web server on my intranet, but I occasionally get "hits" from "outside" when I dial up my ISP. No problem there though. A bandwidth problem did occur though when all the code red started, and I decided a few days ago to start filtering out some of the cr*p. So I devised (ha!) a set of rules shown below that I thought would do the trick, and also stopped logging all the image files and style sheets I have on my system, to keep the logs getting cluttered:

SetEnvIfNoCase request_URI      (.png$|.gif$|.jpg$|.wbmp$)      dontlog
SetEnvIfNoCase request_URI      "/css/*"                        dontlog
SetEnvIfNoCase request_URI      "/status/*"                     dontlog
CustomLog                       /var/log/httpd/combined_log     combined env=!dontlog
CustomLog                       /var/log/httpd/access_log       common  env=!dontlog

SetEnvIfNoCase request_URI      "/scripts/*"                            MSExploit
SetEnvIfNoCase request_URI      "(/root.exe$|/cmd.exe$|/default.ida$)"  MSExploit
CustomLog                       /var/log/httpd/MSexploits_log           common  env=MSExploit

This half works:

1. All my image files and CSS files no longer appear in my logs.
2. The default.ida?NNNNN stuff appears in the MSexploits_log, but also appears in my access_log which it shouldn't ....

I'm sure it's my regex that's causing the problem but I can't see why or where.

Alternatively, should I be looking at multiple env=!dontlog such as env=!dontlog !MSExploit but I can't see any reference to this in the docs.

Can anyone please help me on this ?

 

[iTST]

Well, I'm not sure it this will do the trick, but try it do multiple CustomLog ... env!=MSExploit. cu, Sascha

http://www.itst.org/

 

[peterg22]

Aha! Yes .. it all works now! Thank you ! Here's the final version. How it should work is like this:

If the URI contains '.IDA' set an env variable called MSexploit. Next line: if the env var is set to MSexploit, log it to our MSexploit_log. Next line: If the URI contains '.IDA' set an env variable called 'dontlog'. Go down a few lines until we get to the logging, and .. write it to our combined and common log but only if the environment variable is not set to to 'dontlog'. QED ! So basically, we set one variable just to log the URI to the MSexploit_log, then give the same URI a new variable so that it doesn't get logged to the combined and common logs. What confused me was the fact that Apache seems to process things a line at a time. Still, only been running it for 3 years

SetEnvIfNoCase request_URI      (.ida*)  MSexploit
CustomLog /var/log/httpd/MSexploit_log combined env=MSexploit
SetEnvIfNoCase request_URI      (.ida*) dontlog
#
SetEnvIfNoCase request_URI (.png$|.gif$|.jpg$|.wbmp$) dontlog
SetEnvIfNoCase request_URI "/css/*" dontlog
SetEnvIfNoCase request_URI "/status/*" dontlog
CustomLog /var/log/httpd/combined_log combined env=!dontlog
CustomLog /var/log/httpd/access_log common env=!dontlog

--
Visit

http://www.mildewhall.demon.co.uk

- home of PurePostpro and other Perl goodies !