This site is now 100% read-only, and retired.

Avoid logging overlong Apache requests

Posted by Steve on Sun 10 Apr 2005 at 23:17

Tags: none.

If you have an Apache webserver exposed to the internet you will probably find that it logs requests from worms which attempt to attack websevers. These requests are usually very long, and can take up large amounts of space in logfiles.

Removing overly long requests from the logfiles, which aren't handled by Apache anyway, is a good thing to do to make your files more readable.

The standard Debian Apache configuration file contains the following snippets:

LogFormat "%h %l %u %t \"%r\" %>s %b" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent

These define shortcuts to specific logfile formats, so you can create a logfile of "common" format by using:

CustomLog /var/log/apache/access.log common

This saves you from having to define exactly which information you wish to include, instead you're referring to the "common" format defined via the LogFormat directives.

The LogFormat defines several place-holder settings which you can use such as:

%a:      Remote IP-address
%A:      Local IP-address
%B:      Bytes sent, excluding HTTP headers.
%f:      Filename
%h:      Remote host
%H:      The request protocol
%m:      The request method
%q:      The query string (prepended with a ? if a query string exists,
         otherwise an empty string)
%s:      Status.  For requests that got internally redirected, this is
         the status of the *original* request --- %...>s for the last.
%t:      Time, in common log format time format (standard english format)
%T:      The time taken to serve the request, in seconds.
%u:      Remote user (from auth; may be bogus if return status (%s) is 401)
%U:      The URL path requested, not including any query string.

What might not be obvious is that you can modify the way these codes are used, by adding conditionals to them.

Modifiers work with the server's response code, eg 404 == Not found, and 500 == Server Error.

To only include the field if the server gave a particular status code you use:

%codef

For example if you wish to see how many seconds it took to handle requests which resulted in an error you could use:

%500T

(You can also invert the conditional by the use of the "!" symbol).

To return to the original subject, the 414 error is "request too long", so we can use the conditional on that error to only log if the request didn't result in a "request too long" error with this :

%!414r

If we change the snippets above we end up with :

LogFormat "%h %l %u %t \"%!414r\" %>s %b" common