Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

selective logging problems with setenvif, request_URI

Status
Not open for further replies.
peterg22

peterg22

Programmer
May 20, 2002
2
GB
I run an Apache web server on my intranet, but I occasionally get "hits" from "outside" when I dial up my ISP. No problem there though. A bandwidth problem did occur though when all the code red started, and I decided a few days ago to start filtering out some of the cr*p. So I devised (ha!) a set of rules shown below that I thought would do the trick, and also stopped logging all the image files and style sheets I have on my system, to keep the logs getting cluttered:
Code: 
SetEnvIfNoCase request_URI      (.png$|.gif$|.jpg$|.wbmp$)      dontlog
SetEnvIfNoCase request_URI      "/css/*"                        dontlog
SetEnvIfNoCase request_URI      "/status/*"                     dontlog
CustomLog                       /var/log/httpd/combined_log     combined env=!dontlog
CustomLog                       /var/log/httpd/access_log       common  env=!dontlog

SetEnvIfNoCase request_URI      "/scripts/*"                            MSExploit
SetEnvIfNoCase request_URI      "(/root.exe$|/cmd.exe$|/default.ida$)"  MSExploit
CustomLog                       /var/log/httpd/MSexploits_log           common  env=MSExploit
This half works:

1. All my image files and CSS files no longer appear in my logs.
2. The default.ida?NNNNN stuff appears in the MSexploits_log, but also appears in my access_log which it shouldn't ....

I'm sure it's my regex that's causing the problem but I can't see why or where.

Alternatively, should I be looking at multiple env=!dontlog such as env=!dontlog !MSExploit but I can't see any reference to this in the docs.

Can anyone please help me on this ?
 
Sort by date Sort by votes
[2thumbsup] Aha! Yes .. it all works now! Thank you ! Here's the final version. How it should work is like this:

If the URI contains '.IDA' set an env variable called MSexploit. Next line: if the env var is set to MSexploit, log it to our MSexploit_log. Next line: If the URI contains '.IDA' set an env variable called 'dontlog'. Go down a few lines until we get to the logging, and .. write it to our combined and common log but only if the environment variable is not set to to 'dontlog'. QED ! So basically, we set one variable just to log the URI to the MSexploit_log, then give the same URI a new variable so that it doesn't get logged to the combined and common logs. What confused me was the fact that Apache seems to process things a line at a time. Still, only been running it for 3 years :)

Code: 
SetEnvIfNoCase request_URI      (.ida*)  MSexploit
CustomLog /var/log/httpd/MSexploit_log combined env=MSexploit
SetEnvIfNoCase request_URI      (.ida*) dontlog
#
SetEnvIfNoCase request_URI (.png$|.gif$|.jpg$|.wbmp$) dontlog
SetEnvIfNoCase request_URI "/css/*" dontlog
SetEnvIfNoCase request_URI "/status/*" dontlog
CustomLog /var/log/httpd/combined_log combined env=!dontlog
CustomLog /var/log/httpd/access_log common env=!dontlog
--
Visit - home of PurePostpro and other Perl goodies !
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

ComputersUnlimited
  • Locked
  • Question
Logging into SSH with PKI 1
Replies
2
Views
187
ComputersUnlimited
ComputersUnlimited
harro1968
  • Locked
  • Question
Help with ProxyPass
Replies
0
Views
173
harro1968
harro1968
CecilXavier
  • Locked
  • Question
RHEL IDM with Radius not authenticating
Replies
0
Views
210
CecilXavier
CecilXavier
mjj4golf2
  • Locked
  • Question
Help with setting up a media server
Replies
2
Views
234
vacunita
vacunita
TSch
  • Locked
  • Question
Problem with NFS automount
Replies
1
Views
158
iggsterman
iggsterman

Part and Inventory Search

Sponsor

Back
Top