Re: is this a valid apache log format, if not, what can I do to fix it?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Wed, Feb 13, 2008 at 11:31 PM, Scott Haneda <talklists@xxxxxxxxxx> wrote:

>  pokey.example.com 59.92.230.64 - - [22/Jan/2008:08:14:19 -0800] "GET /
>  \" + gaJsHost + \"google-analytics.com/ga.js HTTP/1.1" 400 376 "-" "-"


>  These show up as errors in my stats software, (summary.net)
>  The developer stated the following:
>  Something strange is going on. Spaces are flat out illegal in
>  requests, yet that request has spaces in it, in addition to the double
>  quotes. Apache is inconsistant in it's logging of requests with
>  invalid characters in them. It is possible to work around the double
>  quote problem, but it is impossible to work around the spaces without
>  adding a log fixing process with some other tool between Apache and
>  Summary.

Well, yes, spaces are illegal, which is why apache returned a 400
error on those requests. The log is simply reporting the request line
as received by the client (with quote-escaping).

In my view, the parsing rules are relatively clear. Fields in the logs
(in common log format and its derivatives) are space or double-quote
separated, depending on whether the field itself could contain a
space. Where double-quotes are contained in a quoted field, they are
escaped with a back-slash.

A log parser then needs to understand the quote-escaping in order to
extract the fields. If your log-parser doesn't understand that, it
won't work.

The other problem here is that, within the request line field, the
parser is probably having a hard time differentiating between the URI
and the protocol string. But that is to be expected, since this is a
bad request. There is no way for either the server or the log parser
to correctly parse it. How a stats program wants to handle requests
like that is a judgment call.

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux