9

Daily logs from Logwatch regularly report 400 Bad Request, null: 1744 Time(s) from our nginx logs.

The log entries look like:

123.123.123.123 - - [25/Jan/2011:14:44:19 -0500] "-" 400 173 "-" "-"

Can anyone explain how these are generated and why there are so many? It doesn't appear to be hurting anything, but we've had up to 8000 appear in a day. We host a medium size rails application running on unicorn and nginx.

There is some discussion in the nginx forum, but I haven't found a real solution that decreases the number for 400 Bad Reqeusts logged.

johnml
  • 203
  • 2
  • 4
  • 1
    What are the IP addresses making the bad requests? As it says in the thread, it may be a monitoring program that only opens a TCP connection. – Mark Wagner Jan 25 '11 at 20:45
  • There are many IP addresses. Most have a session that includes normal web traffic mixed with these 400's. I think I've only witnessed the activity from IE browsers in samples where I've zeroed in on a session's worth of traffic. – johnml Jan 25 '11 at 21:05
  • 1
    I've noticed on my server that using Firefox to access a page always gives one of these blank 400 logs exactly 5 seconds after the last valid request, while Firebug shows no errors. This lends credence to @Avleen's answer. – Phrogz Feb 06 '12 at 19:57

1 Answers1

8

This often happens when a browser is using Keep-Alive and reaches the keep alive timeout. It's quite normal.

If you see 400 errors with a URI / path / method such as GET or POST, etc, then you have a legitimate problem with a user making a bad request. But those should be rare.

Avleen
  • 1,044
  • 7
  • 4