Aug 12, 2011
tom
No Comments

Apache logging to different files by response code

Question

I have an apache web server which is configured to allow access via client certificate to only a few people. I cannot lock down by IP because the certificate holders could potentially connect from anywhere.

Apache currently returns 403 to anyone not presenting a valid certificate or trying to access an invalid URL, but since the machine has no ACL restrictions it is frequently scanned for vulnerabilities. These scans cause quite a lot of noise in the logs.

Is there a way to log to a different file based on the response code? Is it possible to send all logging for requests which result in a 403 to a different file?

Answer

You can get Apache to pipe the custom log to a script. So for example, change the CustomLog entry in the vhost to:

CustomLog "|/path/to/script"

The you can have a script that does something like:

#!/usr/bin/perl
while ($log = <STDIN>) {
    if ($log =~ /403/) {
        open(LOG, '>>/path/to/403log');
        print LOG $log;
        close(LOG);
    } else {
        open(LOG, '>>/path/to/mainlog');
        print $log LOG;
        close(LOG);
    }
}

The above script is untested, but it should give you an idea of what you can do.

Check more discussion of this question.

Related posts:

  1. Logging Timeout’d Request in Apache 2.X
  2. Why apache throws 403 on index file after install?
  3. Apache trailing slash added to files problem
  4. 403 forbidden apache
  5. Filtering bad requests from Apache -> logger -> rsyslog to syslog-ng on a remote logging server possible?

Leave a comment