4

I have a SSL-enabled Apache server which utilizes rotate log to archive the log files. The problem is that when the logs are "rotated", some information get lost...

For example, all authenticated user names are missing.

ssl_access_log will log:

  • 111.222.333.44 - testuser [24/Aug/2009:11:58:58 -0700] "GET /favicon.ico HTTP/1.1" 404 292 "http://website.com" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.1) Gecko/20050729 Firefox/3.5.2 (.NET CLR 3.5.30729)"

but the rotated log will only archive:

  • 111.222.333.44 - - [24/Aug/2009:11:58:58 -0700] "GET /favicon.ico HTTP/1.1" 302 303 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.1) Gecko/20050729 Firefox/3.5.2 (.NET CLR 3.5.30729)"

Here is a set up of my httpd.conf file:

For the rotate..

  • CustomLog "| /usr/sbin/rotatelogs /etc/httpd/logs/ssl_access 604800" combined

For my virtual host to the https port directive..

  • LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\""
  • TransferLog logs/ssl_access_log

Why isn't the authenticated user logged in the rotated logs?

masegaloeh
  • 17,978
  • 9
  • 56
  • 104
up270
  • 41
  • 1
  • 3
  • What's the LogFormat for combined in your config? – CK. Aug 24 '09 at 22:02
  • I believe it's the default one.. LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined – up270 Aug 24 '09 at 22:07
  • found one mistake - added: LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" - under the virtual host directory. This puts both logs into the same custom format. But still missing that authenticated user information. – up270 Aug 24 '09 at 22:22
  • Going to need a bit more information about your config. These are not the same requests (as af) points out. Is one a redirect to the other? Does one have authentication required, and the other not? – CK. Aug 24 '09 at 22:42
  • I've corrected the problem with af's input but not sure what the rotate logs were recording in the first place. Like you mentioned, it looks like it was recording a different request. The times and the requests matched - not the status. Plus, it was getting updated later than the main log.. perhaps the HTTP requests instead of the HTTPS requests? – up270 Aug 25 '09 at 00:14

1 Answers1

4

This suggests you have other problems with your configuration. There's the hint that TransferLog logs/ssl_access_log -directive is inside a virtual host definition, and the rotated log is not. As the ssl_access_log logs authenticated user and rotated log doesn't, I'd guess that the service rotated log is applied to doesn't actually have any authentication configured.

Other thing is that these logs are actually recording two different http requests. The request in rotated log has got a 302 response, a redirect to somewhere else. The request in ssl_access_log got a 404, a not found response. It is possible that the other request is a consequence of browser getting the 302, and then attempting to get it from the other place, but it could also be something else.

In short, these logs are logging different virtual hosts. The cause of redirection could be your server's canonical name setting, rewrite rules or something else, with this information it's impossible to say.

af.
  • 999
  • 1
  • 8
  • 4
  • Beaten by a couple of minutes :) Additionally, the 302 is happening while the user is not yet authenticated, so there is no userid to report at this point. – CK. Aug 24 '09 at 22:36
  • Thanks for the info! I've moved the custom log command - CustomLog "| /usr/sbin/rotatelogs /etc/httpd/logs/ssl_access 604800" combined - inside the virtual host directive and both the rotated log and the main ssl log are producing the same result. – up270 Aug 24 '09 at 22:55