0

I've got two virtual hosts to serve the same site configured in Apache/2.4.18 (Ubuntu), one for http port 80, and the other for https port 443.

Currently I have them generating two separate log files: access.http.log and access.ssl.log but it's quite annoying to have to flip back and forth between the two during audits. I originally had both hosts log to the same file access.log but I couldn't distinguish between the two when troubleshooting traffic requests.

I would like to log them to just one file again, but I can't find in the documentation how to log the port number of the request so I can tell the virtual hosts apart inline. Is this possible?

One sloppy way I noticed is that the protocol is logged in the http referrer (https://localhost/referringpage.php) but this isn't adequate enough since redirects and links could come from anywhere - I just want to log the port of the current request.

Jeff Puckett
  • 229
  • 5
  • 15
  • Have you considered setting up an ELK (Elasticsearch, Logstash, and Kibana) stack? You can take multiple logs, from multiple servers even, and aggregate them into a single log. Seems like this is what you're interested in doing anyway, and it also preserves the integrity of the original logs. – Charles D Pantoga Jul 27 '16 at 15:04
  • @CharlesAddis never heard of it, is it FOSS? Can you recommend a tutorial? – Jeff Puckett Jul 27 '16 at 15:08
  • https://www.youtube.com/watch?v=ge8uHdmtb1M – Charles D Pantoga Jul 27 '16 at 15:12

1 Answers1

1

You will need to define a custom log pattern (http://httpd.apache.org/docs/current/mod/mod_log_config.html) which can include the value of an environment variable using the %{VARNAME}e notation. Using the variables that mod_ssl makes available (https://httpd.apache.org/docs/2.4/mod/mod_ssl.html) you could include at a minimum something like %{HTTPS}e which will show which requests were over SSL/TLS or not.

Personally I tend add a few of those variables so I can audit which ciphers, protocol version, etc. are used by clients to influence tuning decisions.

Once you have that, putting it into an ELK stack as suggested in the comments allows you to create some informative dashboards.

bodgit
  • 4,661
  • 13
  • 26
  • Fabulous, this is just what I was looking for, thanks! One addendum: in order for me to get it to work, I had to change the `e` to an `x` so `%{HTTPS}x` which I figured out from the examples in [this documentation](https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#logformats). `%{HTTPS}e` or any `%{VARNAME}e` writes just a dash `-` to the log. – Jeff Puckett Jul 27 '16 at 19:07
  • Ah yes, I forgot it's `%{VARNAME}x` instead for `mod_ssl` variables. – bodgit Jul 27 '16 at 21:06
  • Still can't figure out how to drop that one in for [`ErrorLogFormat`](https://httpd.apache.org/docs/2.4/mod/core.html#ErrorLogFormat). If I use `%{HTTPS}e` then it's empty, and if I try `%{HTTPS}x` then apache won't start because configtest failed. – Jeff Puckett Jul 27 '16 at 21:31
  • I also discovered from the [`LogFormat` documentation](http://httpd.apache.org/docs/current/mod/mod_log_config.html#LogFormat) even more specifically I was looking for `%p` *"The canonical port of the server serving the request."* which works even better because we've got some intranet servers that are encrypted over non-standard ports, so the boolean `%{HTTPS}x` isn't detailed enough for that situation. *But* this also isn't supported with `ErrorLogFormat` – Jeff Puckett Jul 27 '16 at 21:42
  • found it's `%A` *"Local IP-address and port"* is the one I'm looking for. The other ones such as `%a` and `%{c}a` provide very high port numbers that vary from connection to connection, and I really have no clue where they come from. Thanks again for your help pointing me in the right direction :) – Jeff Puckett Jul 27 '16 at 21:56