Home
Forums
New posts
Search forums
What's new
New posts
New profile posts
Latest activity
Members
Current visitors
New profile posts
Search profile posts
Log in
Register
What's new
Search
Search
Search titles only
By:
New posts
Search forums
Menu
Log in
Register
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Reply to thread
Home
Forums
CARDING & HACKING
HOSTING & BOTNET
Apache logs 2023
Message
<blockquote data-quote="Cupper" data-source="post: 575" data-attributes="member: 22"><p>Note for Windows: Please note that on Windows you may run into problems when starting many logging processes, especially when HTTPD is running as a service. This is caused by the lack of desktop heap space. The desktop heap space provided by each service is specified by the third argument of the SharedSection parameter in the HKEY_LOCAL_MACHINE \ System \ CurrentControlSet \ Control \ SessionManager \ SubSystems \ Windows registry value. Change this value with care; The usual caveats for modifying the Windows registry apply, but you can also deplete the desktop heap space if the number is set too high.</p><p></p><p><strong>Virtual Hosts</strong></p><p>When starting a server with many virtual hosts, there are several options for handling the log files. First, it is possible to use logs in the same way as on a single-host server. By simply placing the logging directives outside of the <VirtualHost> sections in the main server context, you can log all requests in a single access log and error log. This method does not make it easy to collect statistics on individual virtual hosts.</p><p></p><p>If a CustomLog or ErrorLog directive is placed in the <VirtualHost> section, all requests or errors for that virtual host will only be written to the specified file. Any virtual host that does not have logging directives will still send its requests to the core server logs. This method is very useful for a small number of virtual hosts, but if the number of hosts is very large, it can be difficult to manage. In addition, it can often create problems with insufficient file descriptors.</p><p></p><p>There is a very good compromise for the access log. By adding virtual host information to the log format string, you can log all hosts to a single log and then split the log into separate files. For example, consider the following directives.</p><p></p><p>Code:</p><p>LogFormat "% v% l% u% t \"% r \ "%> s% b" comonvhost</p><p>CustomLog "logs / access_log" comonvhost</p><p>% v is used to log the name of the virtual host that is serving the request. A program such as split-logfile can then be used to post-process the access log to split it into one file for each virtual host.</p><p></p><p><strong>Security questions</strong></p><p>Anyone who can write to the directory where Apache httpd writes the log file can almost certainly access the uid the server is running from, which is usually the root user. DO NOT give people write access to the directory where the logs are stored without knowing the consequences.</p><p></p><p>In addition, the log files can contain information provided directly by the customer, without escaping. Therefore, malicious clients can insert control characters into log files, so care must be taken when handling raw logs.</p><p></p><p><strong>ServerRoot Directories Permissions</strong></p><p>In normal operation, Apache is started by the root user and switches to the user specified in the User directive to serve calls. As with any command executed by the root user, you must ensure that it is protected from being changed by non-root users. Not only the files themselves should be writable only by root, but also the directories and the parents of all directories. For example, if you decide to put ServerRoot in / usr / local / apache, then it is recommended to create this directory as root using the following commands:</p><p>Code:</p><p>mkdir / usr / local / apache</p><p>cd / usr / local / apache</p><p>mkdir bin conf logs</p><p>chown 0. bin conf logs</p><p>chgrp 0. bin conf logs</p><p>chmod 755. bin conf logs</p><p></p><p>It is assumed that <strong>/</strong>, <strong>/ usr,</strong> and <strong>/ usr / local</strong> can only be modified by the root user. When installing the httpd executable, you must ensure that it is protected in the same way:</p><p>Code:</p><p>cp httpd / usr / local / apache / bin</p><p>chown 0 / usr / local / apache / bin / httpd</p><p>chgrp 0 / usr / local / apache / bin / httpd</p><p>chmod 511 / usr / local / apache / bin / httpd</p><p></p><p>You can create an htdocs subdirectory that can be modified by other users - since root never executes any files from there and should not create files there.</p><p></p><p>If you allow non-root users to modify any files that root is executing or writing, then you open up your system to compromise root. For example, someone might replace the httpd binary so that the next time it runs, it will execute arbitrary code. If the log directory is writable (by a non-root user), someone can replace the log file with a symbolic link to some other system file, and then root can overwrite that file with arbitrary data. If the log files themselves are writable (by a non-root user), then someone could overwrite the log itself with fake data.</p><p></p><p><strong>Format of error logs. Module event log.</strong></p><p><strong></strong></p><p><strong>Table of contents</strong></p><p>1. Types and modules of magazines. Apache access log format</p><p>2. Format of error logs. Module event log</p><p>2.1 Apache error</p><p>logs 2.2 ErrorLog directive</p><p>2.3 ErrorLogFormat directive</p><p>2.4 LogLevel</p><p>directive</p><p>2.5 LogLevelOverride directive</p><p>2.6 Module event log</p><p>3. Programs for analyzing Apache logs</p><p>4. Forensic logs</p><p>5. Additional configurable debug logs. CGI script execution logs</p><p></p><p><strong>Apache error logs</strong></p><p>The server error log, whose name and location is specified by the ErrorLog directive, is the most important log file. This is where Apache httpd will send diagnostic information and record any errors it encounters while processing requests. This is the first place to look when a server startup or server problem occurs, as it often contains details about what went wrong and how to fix it.</p><p></p><p>The error log is usually written to a file (usually <strong>error_log</strong> on Unix systems and <strong>error.log</strong> on Windows and OS / 2). On Unix systems it is also possible for the server to send errors to the syslog or to pipe them to a program.</p><p></p><p>The error log format is determined by the ErrorLogFormat directive, with which you can customize what values are written to the log. If you do not specify it, then the default value is used. A typical log message is as follows:</p><p></p><p>[Sun Aug 18 12: 43: 09.867536 2019] [authz_core: error] [pid 30395] [client 144.76.28.10:42847] AH01630: client denied by server configuration: / srv / http / suip / ru /, referer: https: //suip.biz/?act=proxy2</p><p>The first item in the log entry is the date and time of the message. Next is the module that generates the message (in this case authz_core) and the severity of that message. This is followed by the process ID and, if necessary, the thread ID of the process in which the condition occurred. Next, we have the address of the client who made the request (his IP address and the port number from which the connection was opened). And finally, a detailed error message that in this case the server refused the connection.</p><p></p><p></p><p>A very large number of different messages can appear in the error log. Most look similar to the example above. The error log will also contain debug information from CGI scripts. Any information written to stderr by the CGI script will be copied directly to the error log.</p><p></p><p>If you put the <strong>% L</strong> token in the error log and access log, a log record ID will be generated that you can map the error log entry to the access log entry. If <strong>mod_unique_id is</strong> loaded, its unique request ID will also be used as the log entry ID.</p><p></p><p>During testing, it is often helpful to constantly monitor the error log for problems. On Unix systems, you can do this using a command like:</p><p>Code:</p><p>tail -f / path / to / log / errors</p><p></p><p>For example:</p><p>Code:</p><p>tail -f / var / log / httpd / error_log</p><p><strong>ErrorLog directive</strong></p><p>Description: Sets the location where the server will log errors.</p><p></p><p>Syntax:</p><p>Code:</p><p>ErrorLog path-to-file | syslog [: [facility] [: tag]]</p><p></p><p>Default value:</p><p>Code:</p><p>ErrorLog logs / error_log # (Unix)</p><p>ErrorLog logs / error.log # (Windows and OS / 2)</p><p>Context: server config, virtual hosts.</p><p></p><p>The <strong>ErrorLog</strong> directive sets the name of the file into which the server will log any errors it encounters. If the file path is not absolute, it is assumed to be relative to ServerRoot.</p><p></p><p>Code:</p><p>ErrorLog "/ var / log / httpd / error_log"</p><p>If path-to-file begins with a pipe " | " then this is assumed to be the command to invoke the error log.</p><p></p><p>ErrorLog "| / usr / local / bin / httpd_errors"</p><p>See the Conveyor section for details.</p></blockquote><p></p>
[QUOTE="Cupper, post: 575, member: 22"] Note for Windows: Please note that on Windows you may run into problems when starting many logging processes, especially when HTTPD is running as a service. This is caused by the lack of desktop heap space. The desktop heap space provided by each service is specified by the third argument of the SharedSection parameter in the HKEY_LOCAL_MACHINE \ System \ CurrentControlSet \ Control \ SessionManager \ SubSystems \ Windows registry value. Change this value with care; The usual caveats for modifying the Windows registry apply, but you can also deplete the desktop heap space if the number is set too high. [B]Virtual Hosts[/B] When starting a server with many virtual hosts, there are several options for handling the log files. First, it is possible to use logs in the same way as on a single-host server. By simply placing the logging directives outside of the <VirtualHost> sections in the main server context, you can log all requests in a single access log and error log. This method does not make it easy to collect statistics on individual virtual hosts. If a CustomLog or ErrorLog directive is placed in the <VirtualHost> section, all requests or errors for that virtual host will only be written to the specified file. Any virtual host that does not have logging directives will still send its requests to the core server logs. This method is very useful for a small number of virtual hosts, but if the number of hosts is very large, it can be difficult to manage. In addition, it can often create problems with insufficient file descriptors. There is a very good compromise for the access log. By adding virtual host information to the log format string, you can log all hosts to a single log and then split the log into separate files. For example, consider the following directives. Code: LogFormat "% v% l% u% t \"% r \ "%> s% b" comonvhost CustomLog "logs / access_log" comonvhost % v is used to log the name of the virtual host that is serving the request. A program such as split-logfile can then be used to post-process the access log to split it into one file for each virtual host. [B]Security questions[/B] Anyone who can write to the directory where Apache httpd writes the log file can almost certainly access the uid the server is running from, which is usually the root user. DO NOT give people write access to the directory where the logs are stored without knowing the consequences. In addition, the log files can contain information provided directly by the customer, without escaping. Therefore, malicious clients can insert control characters into log files, so care must be taken when handling raw logs. [B]ServerRoot Directories Permissions[/B] In normal operation, Apache is started by the root user and switches to the user specified in the User directive to serve calls. As with any command executed by the root user, you must ensure that it is protected from being changed by non-root users. Not only the files themselves should be writable only by root, but also the directories and the parents of all directories. For example, if you decide to put ServerRoot in / usr / local / apache, then it is recommended to create this directory as root using the following commands: Code: mkdir / usr / local / apache cd / usr / local / apache mkdir bin conf logs chown 0. bin conf logs chgrp 0. bin conf logs chmod 755. bin conf logs It is assumed that [B]/[/B], [B]/ usr,[/B] and [B]/ usr / local[/B] can only be modified by the root user. When installing the httpd executable, you must ensure that it is protected in the same way: Code: cp httpd / usr / local / apache / bin chown 0 / usr / local / apache / bin / httpd chgrp 0 / usr / local / apache / bin / httpd chmod 511 / usr / local / apache / bin / httpd You can create an htdocs subdirectory that can be modified by other users - since root never executes any files from there and should not create files there. If you allow non-root users to modify any files that root is executing or writing, then you open up your system to compromise root. For example, someone might replace the httpd binary so that the next time it runs, it will execute arbitrary code. If the log directory is writable (by a non-root user), someone can replace the log file with a symbolic link to some other system file, and then root can overwrite that file with arbitrary data. If the log files themselves are writable (by a non-root user), then someone could overwrite the log itself with fake data. [B]Format of error logs. Module event log. Table of contents[/B] 1. Types and modules of magazines. Apache access log format 2. Format of error logs. Module event log 2.1 Apache error logs 2.2 ErrorLog directive 2.3 ErrorLogFormat directive 2.4 LogLevel directive 2.5 LogLevelOverride directive 2.6 Module event log 3. Programs for analyzing Apache logs 4. Forensic logs 5. Additional configurable debug logs. CGI script execution logs [B]Apache error logs[/B] The server error log, whose name and location is specified by the ErrorLog directive, is the most important log file. This is where Apache httpd will send diagnostic information and record any errors it encounters while processing requests. This is the first place to look when a server startup or server problem occurs, as it often contains details about what went wrong and how to fix it. The error log is usually written to a file (usually [B]error_log[/B] on Unix systems and [B]error.log[/B] on Windows and OS / 2). On Unix systems it is also possible for the server to send errors to the syslog or to pipe them to a program. The error log format is determined by the ErrorLogFormat directive, with which you can customize what values are written to the log. If you do not specify it, then the default value is used. A typical log message is as follows: [Sun Aug 18 12: 43: 09.867536 2019] [authz_core: error] [pid 30395] [client 144.76.28.10:42847] AH01630: client denied by server configuration: / srv / http / suip / ru /, referer: https: //suip.biz/?act=proxy2 The first item in the log entry is the date and time of the message. Next is the module that generates the message (in this case authz_core) and the severity of that message. This is followed by the process ID and, if necessary, the thread ID of the process in which the condition occurred. Next, we have the address of the client who made the request (his IP address and the port number from which the connection was opened). And finally, a detailed error message that in this case the server refused the connection. A very large number of different messages can appear in the error log. Most look similar to the example above. The error log will also contain debug information from CGI scripts. Any information written to stderr by the CGI script will be copied directly to the error log. If you put the [B]% L[/B] token in the error log and access log, a log record ID will be generated that you can map the error log entry to the access log entry. If [B]mod_unique_id is[/B] loaded, its unique request ID will also be used as the log entry ID. During testing, it is often helpful to constantly monitor the error log for problems. On Unix systems, you can do this using a command like: Code: tail -f / path / to / log / errors For example: Code: tail -f / var / log / httpd / error_log [B]ErrorLog directive[/B] Description: Sets the location where the server will log errors. Syntax: Code: ErrorLog path-to-file | syslog [: [facility] [: tag]] Default value: Code: ErrorLog logs / error_log # (Unix) ErrorLog logs / error.log # (Windows and OS / 2) Context: server config, virtual hosts. The [B]ErrorLog[/B] directive sets the name of the file into which the server will log any errors it encounters. If the file path is not absolute, it is assumed to be relative to ServerRoot. Code: ErrorLog "/ var / log / httpd / error_log" If path-to-file begins with a pipe " | " then this is assumed to be the command to invoke the error log. ErrorLog "| / usr / local / bin / httpd_errors" See the Conveyor section for details. [/QUOTE]
Name
Verification
Post reply
Home
Forums
CARDING & HACKING
HOSTING & BOTNET
Apache logs 2023
Top