Re: [analog-help] Re: Re: Re: Re: Corrupt logfile lines

Thu, 26 Feb 2009 04:29:30 -0800 

On 2/26/2009 6:53 AM, Nanu Kalmanovitz wrote:


192.168.254.254 - - [26/Feb/2009:11:13:45 +0200] "GET /req.png HTTP/1.0" 304 - 
"http://www.kalmanovitz.co.il/Analog_Report.html"; "Mozilla/5.0 (X11; U; Linux i686; en-US; 
rv:1.8.1.18) Gecko/20081031 SUSE/2.0.0.18-0.2.1 Firefox/2.0.0.18"
::1 - - [26/Feb/2009:11:13:57 +0200] "GET /" 400 991
::1 - - [26/Feb/2009:11:13:58 +0200] "GET /" 400 991
::1 - - [26/Feb/2009:11:13:59 +0200] "GET /" 400 991
::1 - - [26/Feb/2009:11:14:00 +0200] "GET /" 400 991

38.99.13.125 - - [26/Feb/2009:11:14:45 +0200] "GET /k_comm/Israel/English/Maps/Rezervations/EinHemed33/obj/pages/P7270096_jpg.htm HTTP/1.0" 200 2299 "-" "Mozilla/5.0 (Twiceler-0.9 http://www.cuil.com/twiceler/robot.html)" 


They said:

... this is not a second logformat, it is the HTTP status response is 400 "bad 
request"
request, but rather a port scan, or something similar.
That is why the data about the request is not logged - because there was no 
HTTP data available, since it wasn't an HTTP request.
That will happen every time someone connects to port 80 on the server via 
something else than HTTP protocol...



That sounds like nonsense to me. If they're not being logged by the HTTP 
engine, thy shouldn't be in the GTTP access log, and if they are being 
logged by the HTTP engine, they should be logged in the correct format. 
How do you make a request to an IP port without an IP address anyway? 
(Are you sure that it's not an IPv6 request that your web server is 
getting confused about?)



Is it any possibility to configure Analog to interpret the above in a right way?


You can write a LOGFORMAT to match those strings:
LOGFORMAT (%j[%d/%M/%Y:%h:%n:%j] "%j %r" %c %b)

http://analog.cx/docs/logfmt.html


But you don't want to add those requests to your current Analog report. 
If you do create a new report to count these lines, you'll need to look 
at the Failure Reports, because the Response code is 400.


Aengus
+------------------------------------------------------------------------
|  TO UNSUBSCRIBE from this list:
|    http://lists.meer.net/mailman/listinfo/analog-help
|
|  Analog Documentation: http://analog.cx/docs/Readme.html
|  List archives:  http://www.analog.cx/docs/mailing.html#listarchives
|  Usenet version: news://news.gmane.org/gmane.comp.web.analog.general
+------------------------------------------------------------------------
























					Reply via email to