Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Cyber Security Group

Enhancing Apache Logging For Improved Forensic Capability Part I: Examining Default Apache Logging

Created: 04 Aug 2014 • Updated: 04 Aug 2014
Vince Kornacki's picture
+3 3 Votes
Login to vote

apache1.png

Like an unsightly beer belly, default Apache logging functionality leaves a little something to be desired, especially with regard to forensic capability. So let's pump up the default Apache logging functionality and carve out a forensic six pack! For this blog post we'll be working with Apache 2.4 running on Debian Linux:

root@debian $ apache2 -v
Server version: Apache/2.4.9 (Debian)
Server built:   Jun  8 2014 10:01:34

The default Apache HTTP log format is defined within the /etc/apache2/sites-available/000-default.conf configuration file (which is symbolically linked from /etc/apache2/sites-enabled/000-default.conf), and the default Apache SSL log format is defined within the /etc/apache2/sites-available/default-ssl.conf configuration file (which is symbolically linked from /etc/apache2/sites-enabled/default-ssl.conf when SSL is enabled). The mod_log_config "CustomLog" directive is used to define the log format, which is identical for both HTTP and SSL:

CustomLog ${APACHE_LOG_DIR}/access.log combined

In this case Apache logs will be stored in the ${APACHE_LOG_DIR}/access.log logfile using the "combined" log format. The mod_log_config "LogFormat" directive is used to define the combined log format within the /etc/apache2/apache2.conf configuration file:

LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined

The combined log format includes all of the information specified by the Common Log Format plus the "Referer" and "User-Agent" headers. Note that the "Referer" header is deliberately misspelled due to a spelling mistake within RFC 1945. Apparently Microsoft Bob didn't include spellchecker back in 1996. In any case, a sample Apache combined log format entry looks something a little something like this:

10.1.1.1 - - [30/Jul/2014:10:45:59 -0500] "GET /example.html?foo=bar HTTP/1.1" 200 999 "http://192.168.1.1/from.html" "Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0" 

That looks like a whole lot of gibberish, so let's break down the combined log format step by step:

  • The %h directive logs the remote hostname. In the example log entry this value is "10.1.1.1".

  • The %l directive logs the remote logname from the rarely deployed identd daemon. In the example log entry this value is "-", meaning that the identd daemon was not deployed.

  • The %u directive logs the remote user if the request is authenticated with HTTP Basic or Digest authentication. In the example log entry this value is "-", meaning that the remote user was not authenticated with HTTP Basic or Digest authentication.

  • The %t directive logs the time that the request was received. In the example log entry this value is "[30/Jul/2014:10:44:59 -0500]".

  • The %r directive logs the first line of the request. In the example log entry this value is "GET /example.html?foo=bar HTTP/1.1".

  • The %>s directive logs the status code of the request. The > character specifies to log the status code of the final request, after any intermediate redirects have been processed. In the example log entry this value is "200".

  • The %O directive logs the number of bytes sent, including HTTP headers. In the example log entry this value is "999".

  • The %{Referer}i directive logs the "Referer" header sent by the client. Note that the value of the "Referer" header could be spoofed by the client. In the example log entry this value is "http://192.168.1.1/from.html".

  • The %{User-Agent}i directive logs the "User-Agent" header sent by the client. Note that the value of the "User-Agent" header could be spoofed by the client. In the example log entry this value is "Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0".

The default Apache combined log format clearly provides loads of useful information, but surely we can take our logging game up a notch. In the next installment we'll implement an enhanced Apache log format in order to bolster forensic capability!

Blog Entry Filed Under: