Hi Bill, >> I (and many others) use the following for getting virus attacks into >> attack_log instead > of access_log: >> >> # configuration to direct logging of virus attacks to separate log >> # make sure you comment out your old CustomLog directive! >> # for more information refer to /manual/mod/mod_setenvif.html >> >> SetEnvIfNoCase Request_URI "default\.ida?|root\.|cmd\.exe" is_attack
> The URI string for a real attack is significantly longer than this. that's right, but that doesnt explain why it only fails when a real attack comes; I have copy&pasted the whole attack string from the access log and with this it works...; also real attacks with 'root.' or 'cmd.exe' are logged in the attack log instead of access log; it's just only that requests to default.ida are not logged as expected. With Apache I have no default.ida, root.exe, root.sys or cmd.exe on my server; so it's save for me to say 'if one of these names appear in the request it's an attack'. Guenter.