[NBLUG/talk] How to read logwatch & httpd access_log

Ron Wickersham rjw at alembic.com
Sun Jan 23 19:52:00 PST 2005 

On Sun, 23 Jan 2005, Augie Schwer wrote:

> On Thu, 13 Jan 2005 08:27:57 -0800, Dave Sisley <dsisley at sonic.net> wrote:
> >
> > Connection attempts using mod_proxy:
> >    82.96.96.3 -> 82.96.96.3:802 : 8 Time(s)
> > I've been ignoring this since my httpd server isn't running
> > mod_proxy. Hmmm. Or at least I don't think so.  I see this in my
> > httpd.conf file:
> > LoadModule proxy_module modules/mod_proxy.so
> > LoadModule proxy_ftp_module modules/mod_proxy_ftp.so
> > LoadModule proxy_http_module modules/mod_proxy_http.so
> > LoadModule proxy_connect_module modules/mod_proxy_connect.so
> > So my first assumption is that mod_proxy is NOT running on my server.
>
> Well you are loading the code into Apache even if is not configured
> to use it. If you really don't want it, then you might as well just comment
> the above lines out.
>
> > My real question (finally!) has to do with my access_logs, which
> > logwatch parses to make its report.  I saw in google that successful
> > CONNECTs (200) might indicate trouble.  I see plenty of connects from
> > 82.96.96.3 , which I think is okay, but I see a couple like this that
> > make me nervous:
> > access_log:81.219.11.226 - - [09/Jan/2005:19:04:28 -0800] "CONNECT 1.3.3.7:1337 HTTP/1.0" 200 12551 "-" "-"
> > access_log.1:216.102.227.194 - - [06/Jan/2005:20:50:47 -0800] "CONNECT 1.3.3.7:1337 HTTP/1.0" 200 12550 "-" "-"
> > access_log.3:216.240.146.76 - - [20/Dec/2004:17:09:02 -0800] "CONNECT 1.3.3.7:1337 HTTP/1.0" 200 12596 "-" "-"
>
> It looks like your box is being tested to see if it is an open proxy. A little

---snip---

however reading the log entry your box is being asked  for a CONNECT and
it says 200 (which is the same as saying ok here it is, and then in the
first instance sends back 12551 bytes to the requestor's browser and
12550 bytes in the second instance and 12596 bytes in the third.

so apparently you're actually delivering the requested material.  otherwise
you'd see the same request coming in but send back an error message and
not a 200 header type.

-ron

--
/~\  The ASCII Ribbon Campaign
\ /    No HTML/RTF in email
 X     No Word docs in email
/ \  Respect for open standards

More information about the talk mailing list