809N/A Copyright 2004 The Apache Software Foundation 809N/A Licensed under the Apache License, Version 2.0 (the "License"); 809N/A you may not use this file except in compliance with the License. 809N/A You may obtain a copy of the License at 809N/A Unless required by applicable law or agreed to in writing, software 809N/A distributed under the License is distributed on an "AS IS" BASIS, 809N/A WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 809N/A See the License for the specific language governing permissions and 809N/A limitations under the License. 809N/A<
name>mod_log_forensic</
name>
809N/A<
description>Forensic Logging of the requests made to the server</
description>
809N/A<
status>Extension</
status>
809N/A<
identifier>log_forensic_module</
identifier>
809N/A <
p>This module provides for forensic logging of client
809N/A requests. Logging is done before and after processing a request, so the
809N/A forensic log contains two log lines for each request.
809N/A The forensic logger is very strict, which means:</
p>
809N/A <
li>The format is fixed. You cannot modify the logging format at
809N/A <
li>If it cannot write its data, the child process
809N/A exits immediately and may dump core (depending on your
809N/A <
directive module="mpm_common">CoreDumpDirectory</
directive>
809N/A <
p>The <
code>check_forensic</
code> script, which can be found in the
809N/A distribution's support directory, may be helpful in evaluating the
809N/A forensic log output.</
p>
809N/A<
seealso><
module>mod_log_config</
module></
seealso>
809N/A<
section id="formats"><
title>Forensic Log Format</
title>
809N/A <
p>Each request is logged two times. The first time <
em>before</
em> it's
809N/A processed further (that is, after receiving the headers). The second log
809N/A entry is written <
em>after</
em> the request processing at the same time
809N/A where normal logging occurs.</
p>
809N/A <
p>In order to identify each request, a unique request ID is assigned.
809N/A This forensic ID can be cross logged in the normal transfer log using the
809N/A <
code>%{forensic-id}n</
code> format string. If you're using
809N/A <
module>mod_unique_id</
module>, its generated ID will be used.</
p>
809N/A <
p>The first line logs the forensic ID, the request line and all received
809N/A headers, separated by pipe characters (<
code>|</
code>). A sample line
809N/A looks like the following (all on one line):</
p>
809N/A <
p>The plus character at the beginning indicates that this is first log
809N/A line of this request. The second line just contains a minus character and
-yQtJf8CoAB4AAFNXBIEAAAAA
<
p>The <
code>check_forensic</
code> script takes as its argument the name
of the logfile. It looks for those <
code>+</
code>/<
code>-</
code> ID pairs
and complains if a request was not completed.</
p>
<
section id="security"><
title>Security Considerations</
title>
document for details on why your security could be compromised
if the directory where logfiles are stored is writable by
anyone other than the user that starts the server.</
p>
<
description>Sets filename of the forensic log</
description>
<
syntax>ForensicLog <
var>filename</
var>|<
var>pipe</
var></
syntax>
<
contextlist><
context>server config</
context><
context>virtual host</
context>
<
compatibility>Available in version 2.1 and later</
compatibility>
<
p>The <
directive>ForensicLog</
directive> directive is used to
log requests to the server for forensic analysis. Each log entry
is assigned a unique ID which can be associated with the request
using the normal <
directive module="mod_log_config">CustomLog</
directive>
directive. <
module>mod_log_forensic</
module> creates a token called
<
code>forensic-id</
code>, which can be added to the transfer log
using the <
code>%{forensic-id}n</
code> format string.</
p>
<
p>The argument, which specifies the location to which
the logs will be written, can take one of the following two
<
dt><
var>filename</
var></
dt>
<
dd>A filename, relative to the <
directive module="core" >ServerRoot</
directive>.</
dd>
<
dd>The pipe character "<
code>|</
code>", followed by the path
to a program to receive the log information on its standard
input. The program name can be specified relative to the <
directive module="core">ServerRoot</
directive> directive.
<
note type="warning"><
title>Security:</
title>
<
p>If a program is used, then it will be run as the user who
started httpd. This will be root if the server was started by root;
be sure that the program is secure or switches to a less privileged
<
note><
title>Note</
title>
<
p>When entering a file path on non-Unix platforms, care should be taken
to make sure that only forward slashed are used even though the platform
may allow the use of back slashes. In general it is a good idea to always
use forward slashes throughout the configuration files.</
p>
