FAQ
Hi All,

I am using apache 2.2.22.

We are seeing some weird behavior in Apache access logs. I have
following line in httpd.conf -

LogFormat "%h %l %i %t \"%r\" %>s %b" common

now the log should look like - 64.39.111.58 - - [25/Mar/2012:11:08:48
-0400] "GET /abc.html HTTP/1.1" 200 251 (all looks good so far)

The problem - even though i can see such logs in 90% of the cases
there are lots of entries similar to -

*/* - - [25/Mar/2012:11:08:48 -0400] "GET /abc.html HTTP/1.1" 200 251
*/200 - - [25/Mar/2012:11:08:48 -0400] "GET /abc.html HTTP/1.1" 200 251

Note that the first field...

I have set HostnameLookups Off in my config.
Can anyone tell what could be the reason for such entries or at least
what such entries mean?

Thanks!

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Search Discussions

  • Tom Evans at Apr 25, 2012 at 4:15 pm

    On Wed, Apr 25, 2012 at 4:54 PM, Ishita Kapadiya wrote:
    Hi All,

    I am using apache 2.2.22.

    We are seeing some weird behavior in Apache access logs. I have
    following line in httpd.conf -

    LogFormat "%h %l %i %t \"%r\" %>s %b" common

    now the log should look like - 64.39.111.58 - - [25/Mar/2012:11:08:48
    -0400] "GET /abc.html HTTP/1.1" 200 251 (all looks good so far)

    The problem - even though i can see such logs in 90% of the cases
    there are lots of entries similar to -

    */* - - [25/Mar/2012:11:08:48 -0400] "GET /abc.html HTTP/1.1" 200 251
    */200 - - [25/Mar/2012:11:08:48 -0400] "GET /abc.html HTTP/1.1" 200 251

    Note that the first field...

    I have set HostnameLookups Off in my config.
    Can anyone tell what could be the reason for such entries or at least
    what such entries mean?

    Thanks!
    Are you sure this is the format being applied? LogFormat simply
    defines a format, it doesn't necessarily need to be used.

    Another possibility is that you have two CustomLog directives pointing
    at the same file but with different formats.

    I also don't understand why you are using %h (remote host) with host
    lookups turned off. If you want the remote IP address, why not use %a
    (remote IP address).

    BTW, your use of %i is meaningless. %i is used to extract a header;
    you never specify a header name, eg '%{FOOBAR}i'. %i by itself will
    always result in a '-'.

    Cheers

    Tom

    ---------------------------------------------------------------------
    To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
    For additional commands, e-mail: users-help@httpd.apache.org
  • Ishita Kapadiya at Apr 25, 2012 at 6:46 pm
    Thanks Tom. I can see opportunity to use %a instead of %h in log
    format. However, we are using the same (%h) since long with
    HostnameLookups Off but never had seen such entries in access logs
    (*/* instead of IP)

    Also, i am using 'common' log format for access log. please find below
    config from my server -

    LogFormat "%h %l %{foo}i %t \"%r\" %>s %b" common
    CustomLog "logs/access_log" common

    Please let me know if you have any idea about those entries in logs.

    Thanks
    On Wed, Apr 25, 2012 at 12:14 PM, Tom Evans wrote:
    On Wed, Apr 25, 2012 at 4:54 PM, Ishita Kapadiya wrote:
    Hi All,

    I am using apache 2.2.22.

    We are seeing some weird behavior in Apache access logs. I have
    following line in httpd.conf -

    LogFormat "%h %l %i %t \"%r\" %>s %b" common

    now the log should look like - 64.39.111.58 - - [25/Mar/2012:11:08:48
    -0400] "GET /abc.html HTTP/1.1" 200 251 (all looks good so far)

    The problem - even though i can see such logs in 90% of the cases
    there are lots of entries similar to -

    */* - - [25/Mar/2012:11:08:48 -0400] "GET /abc.html HTTP/1.1" 200 251
    */200 - - [25/Mar/2012:11:08:48 -0400] "GET /abc.html HTTP/1.1" 200 251

    Note that the first field...

    I have set HostnameLookups Off in my config.
    Can anyone tell what could be the reason for such entries or at least
    what such entries mean?

    Thanks!
    Are you sure this is the format being applied? LogFormat simply
    defines a format, it doesn't necessarily need to be used.

    Another possibility is that you have two CustomLog directives pointing
    at the same file but with different formats.

    I also don't understand why you are using %h (remote host) with host
    lookups turned off. If you want the remote IP address, why not use %a
    (remote IP address).

    BTW, your use of %i is meaningless. %i is used to extract a header;
    you never specify a header name, eg '%{FOOBAR}i'. %i by itself will
    always result in a '-'.

    Cheers

    Tom

    ---------------------------------------------------------------------
    To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
    For additional commands, e-mail: users-help@httpd.apache.org
    ---------------------------------------------------------------------
    To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
    For additional commands, e-mail: users-help@httpd.apache.org
  • Ishita Kapadiya at May 22, 2012 at 5:50 pm
    Hi All,

    Can someone please provide any insight on the problem? Looks like I am
    getting so many different patterns in IP field in ssl access logs -

    -c=,\vJ\xf3\xa6\xe1=N)f\xbe\xa8; - - [15/Apr/2012:10:28:36 -0400] "GET
    xxx HTTP/1.1" 304 -
    -Alive - - [15/Apr/2012:20:18:48 -0400] "GET xxx HTTP/1.1" 200 1223
    -:\xe0pXPCj\xd6\xdf,\xcd\xd3\x01>\b - user [17/Apr/2012:16:17:58
    -0400] "GET xxx HTTP/1.1" 304 -
    -Alive - 501358569 [18/Apr/2012:13:21:51 -0400] "GET xxx HTTP/1.1" 200 94991
    -127e-4f8f0b1f-001c-2dec3d85 - user [18/Apr/2012:14:42:39 -0400] "GET
    xxx HTTP/1.1" 304 -

    See the first column. I am not sure what's causing such entries to
    present in the logs. Also, such entries present only in ssl access log
    and not the port 80 access logs. (this instance is listening on both
    port 80 & 443)
    On Wed, Apr 25, 2012 at 2:46 PM, Ishita Kapadiya wrote:
    Thanks Tom. I can see opportunity to use %a instead of %h in log
    format. However, we are using the same (%h) since long with
    HostnameLookups Off but never had seen such entries in access logs
    (*/* instead of IP)

    Also, i am using 'common' log format for access log. please find below
    config from my server -

    LogFormat "%h %l %{foo}i %t \"%r\" %>s %b" common
    CustomLog "logs/access_log" common

    Please let me know if you have any idea about those entries in logs.

    Thanks
    On Wed, Apr 25, 2012 at 12:14 PM, Tom Evans wrote:
    On Wed, Apr 25, 2012 at 4:54 PM, Ishita Kapadiya wrote:
    Hi All,

    I am using apache 2.2.22.

    We are seeing some weird behavior in Apache access logs. I have
    following line in httpd.conf -

    LogFormat "%h %l %i %t \"%r\" %>s %b" common

    now the log should look like - 64.39.111.58 - - [25/Mar/2012:11:08:48
    -0400] "GET /abc.html HTTP/1.1" 200 251 (all looks good so far)

    The problem - even though i can see such logs in 90% of the cases
    there are lots of entries similar to -

    */* - - [25/Mar/2012:11:08:48 -0400] "GET /abc.html HTTP/1.1" 200 251
    */200 - - [25/Mar/2012:11:08:48 -0400] "GET /abc.html HTTP/1.1" 200 251

    Note that the first field...

    I have set HostnameLookups Off in my config.
    Can anyone tell what could be the reason for such entries or at least
    what such entries mean?

    Thanks!
    Are you sure this is the format being applied? LogFormat simply
    defines a format, it doesn't necessarily need to be used.

    Another possibility is that you have two CustomLog directives pointing
    at the same file but with different formats.

    I also don't understand why you are using %h (remote host) with host
    lookups turned off. If you want the remote IP address, why not use %a
    (remote IP address).

    BTW, your use of %i is meaningless. %i is used to extract a header;
    you never specify a header name, eg '%{FOOBAR}i'. %i by itself will
    always result in a '-'.

    Cheers

    Tom

    ---------------------------------------------------------------------
    To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
    For additional commands, e-mail: users-help@httpd.apache.org
    ---------------------------------------------------------------------
    To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
    For additional commands, e-mail: users-help@httpd.apache.org

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
groupusers @
categoriesapache
postedApr 25, '12 at 3:55p
activeMay 22, '12 at 5:50p
posts4
users2
websitehttpd.apache.org
irc#httpd

2 users in discussion

Ishita Kapadiya: 3 posts Tom Evans: 1 post

People

Translate

site design / logo © 2022 Grokbase