[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#693292: apache2.2-bin: False positives with mod_log_forensic and check_forensic

On Thursday 15 November 2012, Reinhard Brunzema wrote:
> Since update 2.2.16-6+squeeze8 check_forensic reports much more
> failed requests than before. Most of them are false positives. I
> think, this is caused by mod_log_forensic, throwing in some
> additional '-' from time to time.
> For instance:
> Check_forensic reports:
> #check_forensic /var/log/apache2/forensic.log
> +20773:50a49a18:8063|GET RequestDetailsRemoved
> [...]
> If I check this with grep I get:
> #grep '20773:50a49a18:8063' /var/log/apache2/forensic.log
> +20773:50a49a18:8063|GET RequestDetailsRemoved
> --20773:50a49a18:8063

This seems to be a bug in mod_forensic. If a request gets rejected 
before mod_log_forensic had a chance to attach an id to the request 
and log the "+" line, mod_log_forensic will still log a single "-" 
without a new line when the request is logged to the access log.

I guess that the change

  * Send 408 status instead of 400 if reading of a request fails with
    a timeout. This allows browsers to retry. Closes: #677086

in 2.2.16-6+squeeze8 will now call the logging code for some requests, 
where earlier versions did nothing and just silently closed the 
connection. Maybe if the request line has already been read, but 
reading of the request timed out before all headers have been read 
(that's an unverified guess).

If you replace all "--" at a line start with s single "-", do the 
results of check_forensic look like what happened with previous 


Reply to: