Bug#693292: apache2.2-bin: False positives with mod_log_forensic and check_forensic
On Thursday 15 November 2012, Reinhard Brunzema wrote:
> Since update 2.2.16-6+squeeze8 check_forensic reports much more
> failed requests than before. Most of them are false positives. I
> think, this is caused by mod_log_forensic, throwing in some
> additional '-' from time to time.
>
> For instance:
> Check_forensic reports:
>
> #check_forensic /var/log/apache2/forensic.log
> +20773:50a49a18:8063|GET RequestDetailsRemoved
> [...]
>
> If I check this with grep I get:
> #grep '20773:50a49a18:8063' /var/log/apache2/forensic.log
> +20773:50a49a18:8063|GET RequestDetailsRemoved
> --20773:50a49a18:8063
This seems to be a bug in mod_forensic. If a request gets rejected
before mod_log_forensic had a chance to attach an id to the request
and log the "+" line, mod_log_forensic will still log a single "-"
without a new line when the request is logged to the access log.
I guess that the change
* Send 408 status instead of 400 if reading of a request fails with
a timeout. This allows browsers to retry. Closes: #677086
in 2.2.16-6+squeeze8 will now call the logging code for some requests,
where earlier versions did nothing and just silently closed the
connection. Maybe if the request line has already been read, but
reading of the request timed out before all headers have been read
(that's an unverified guess).
If you replace all "--" at a line start with s single "-", do the
results of check_forensic look like what happened with previous
versions?
Cheers,
Stefan
Reply to: