1 <?xml version="1.0" encoding="ISO-8859-1"?>
2 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
3 <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"><head><!--
4 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
5 This file is generated from xml source: DO NOT EDIT
6 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
8 <title>mod_log_forensic - Apache HTTP Server</title>
9 <link href="../style/css/manual.css" rel="stylesheet" media="all" type="text/css" title="Main stylesheet" />
10 <link href="../style/css/manual-loose-100pc.css" rel="alternate stylesheet" media="all" type="text/css" title="No Sidebar - Default font size" />
11 <link href="../style/css/manual-print.css" rel="stylesheet" media="print" type="text/css" />
12 <link href="../images/favicon.ico" rel="shortcut icon" /></head>
14 <div id="page-header">
15 <p class="menu"><a href="../mod/">Modules</a> | <a href="../mod/directives.html">Directives</a> | <a href="../faq/">FAQ</a> | <a href="../glossary.html">Glossary</a> | <a href="../sitemap.html">Sitemap</a></p>
16 <p class="apache">Apache HTTP Server Version 2.1</p>
17 <img alt="" src="../images/feather.gif" /></div>
18 <div class="up"><a href="./"><img title="<-" alt="<-" src="../images/left.gif" /></a></div>
20 <a href="http://www.apache.org/">Apache</a> > <a href="http://httpd.apache.org/">HTTP Server</a> > <a href="http://httpd.apache.org/docs-project/">Documentation</a> > <a href="../">Version 2.1</a> > <a href="./">Modules</a></div>
21 <div id="page-content">
22 <div id="preamble"><h1>Apache Module mod_log_forensic</h1>
24 <p><span>Available Languages: </span><a href="../en/mod/mod_log_forensic.html" title="English"> en </a></p>
26 <table class="module"><tr><th><a href="module-dict.html#Description">Description:</a></th><td>Forensic Logging of the requests made to the server</td></tr>
27 <tr><th><a href="module-dict.html#Status">Status:</a></th><td>Extension</td></tr>
28 <tr><th><a href="module-dict.html#ModuleIdentifier">Module Identifier:</a></th><td>log_forensic_module</td></tr>
29 <tr><th><a href="module-dict.html#SourceFile">Source File:</a></th><td>mod_log_forensic.c</td></tr></table>
32 <p>This module provides for forensic logging of client
33 requests. Logging is done before and after processing a request, so the
34 forensic log contains two log lines for each request.
35 The forensic logger works very strict, which means:</p>
38 <li>The format is fixed. You cannot modify the logging format at
40 <li>If it cannot write its data, the particular child process
41 exits immediately and possibly dumps core (depends on your
42 <code class="directive"><a href="../mod/mpm_common.html#coredumpdirectory">CoreDumpDirectory</a></code>
46 <p>In order to evaluate the log output there's a script
47 <code>check_forensic</code>, which can be found in the support directory
48 of the distribution.</p>
50 <div id="quickview"><h3 class="directives">Directives</h3>
52 <li><img alt="" src="../images/down.gif" /> <a href="#forensiclog">ForensicLog</a></li>
56 <li><img alt="" src="../images/down.gif" /> <a href="#formats">Forensic Log Format</a></li>
57 <li><img alt="" src="../images/down.gif" /> <a href="#security">Security Considerations</a></li>
58 </ul><h3>See also</h3>
60 <li><a href="../logs.html">Apache Log Files</a></li>
61 <li><code class="module"><a href="../mod/mod_log_config.html">mod_log_config</a></code></li>
63 <div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
65 <h2><a name="formats" id="formats">Forensic Log Format</a></h2>
66 <p>Each request is logged two times. The first time <em>before</em> it's
67 processed further (that is, after receiving the headers). The second log
68 entry is written <em>after</em> the request processing at the same time
69 where normal logging occurs.</p>
71 <p>In order to identify each request, a unique request ID is assigned.
72 This forensic id can be cross logged in the normal transfer log using the
73 <code>%{forensic-id}n</code> format string. If you're using
74 <code class="module"><a href="../mod/mod_unique_id.html">mod_unique_id</a></code> its generated ID will be used.</p>
76 <p>The first line logs the forensic ID, the request line and all received
77 headers, separated by pipe characters (<code>|</code>). A sample line
78 looks like the following (all on one line):</p>
80 <div class="example"><p><code>
81 +yQtJf8CoAB4AAFNXBIEAAAAA|GET /manual/de/images/down.gif
82 HTTP/1.1|Host:localhost%3a8080|User-Agent:Mozilla/5.0 (X11;
83 U; Linux i686; en-US; rv%3a1.6) Gecko/20040216
84 Firefox/0.8|Accept:image/png, <var>etc...</var>
87 <p>The plus character at the beginning indicates that this is first log
88 line of this request. The second line just contains a minus character and
91 <div class="example"><p><code>
92 -yQtJf8CoAB4AAFNXBIEAAAAA
95 <p>The <code>check_forensic</code> script gets as its argument the name
96 of the logfile. It looks for those <code>+</code>/<code>-</code> ID pairs
97 and complains if a request was not completed.</p>
98 </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
100 <h2><a name="security" id="security">Security Considerations</a></h2>
101 <p>See the <a href="../misc/security_tips.html#serverroot">security tips</a>
102 document for details on why your security could be compromised
103 if the directory where logfiles are stored is writable by
104 anyone other than the user that starts the server.</p>
106 <div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
107 <div class="directive-section"><h2><a name="ForensicLog" id="ForensicLog">ForensicLog</a> <a name="forensiclog" id="forensiclog">Directive</a></h2>
108 <table class="directive">
109 <tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Sets filename of the forensic log</td></tr>
110 <tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>ForensicLog <var>filename</var>|<var>pipe</var></code></td></tr>
111 <tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host</td></tr>
112 <tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
113 <tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_log_forensic</td></tr>
114 <tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td>Available in version 2.1 and later</td></tr>
116 <p>The <code class="directive">ForensicLog</code> directive is used to
117 log requests to the server for a forensic analysis. Each log entry
118 gets assigned unique id which can be associated with the request
119 using the normal <code class="directive"><a href="../mod/mod_log_config.html#customlog">CustomLog</a></code>
120 directive. <code class="module"><a href="../mod/mod_log_forensic.html">mod_log_forensic</a></code> leaves a note called
121 <code>forensic-id</code> which can be added to the transfer log by
122 using the <code>%{forensic-id}n</code> format string.</p>
124 <p>The argument, which specifies the location to which
125 the logs will be written, can take one of the following two
129 <dt><var>filename</var></dt>
130 <dd>A filename, relative to the <code class="directive"><a href="../mod/core.html#serverroot">ServerRoot</a></code>.</dd>
132 <dt><var>pipe</var></dt>
133 <dd>The pipe character "<code>|</code>", followed by the path
134 to a program to receive the log information on its standard
135 input. The program name can be specified relative to the <code class="directive"><a href="../mod/core.html#serverroot">ServerRoot</a></code> directive.
137 <div class="warning"><h3>Security:</h3>
138 <p>If a program is used, then it will be run as the user who
139 started httpd. This will be root if the server was started by root;
140 be sure that the program is secure or switches to a less privileged
144 <div class="note"><h3>Note</h3>
145 <p>When entering a file path on non-Unix platforms, care should be taken
146 to make sure that only forward slashed are used even though the platform
147 may allow the use of back slashes. In general it is a good idea to always
148 use forward slashes throughout the configuration files.</p>
154 <div class="bottomlang">
155 <p><span>Available Languages: </span><a href="../en/mod/mod_log_forensic.html" title="English"> en </a></p>
156 </div><div id="footer">
157 <p class="apache">Copyright 1999-2004 The Apache Software Foundation.<br />Licensed under the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>.</p>
158 <p class="menu"><a href="../mod/">Modules</a> | <a href="../mod/directives.html">Directives</a> | <a href="../faq/">FAQ</a> | <a href="../glossary.html">Glossary</a> | <a href="../sitemap.html">Sitemap</a></p></div>