AddThis Social Bookmark Button


Profiling LAMP Applications with Apache's Blackbox Logs
Pages: 1, 2, 3, 4

Client Source Port


Logging the client source TCP port can provide some useful network data and can help us associate a single client with multiple requests.

If two clients from the same IP address make simultaneous connections, the common log file format cannot distinguish between those clients. Otherwise, if the client uses keep-alives, then every hit made from a single TCP session will be associated by the same client port number.

The port information can indicate how many connections our server is handling at once, which may help in tuning server TCP/IP settings. It will also identify which client ports are legitimate requests if the administrator is examining a possible SYN-attack against a server.

This is the part where Apache doesn't really help you out. The only native way to record the source port is by using %{REMOTE_PORT}e, which grabs the value of the REMOTE_PORT environment variable, but environment variables only come into play when mod_cgi or mod_cgid is handling the request.

The only way to record the source port for every request is by modifying the source code of mod_log_config.c or by creating a custom logging module. In both cases, a new format directive could then record the source port of the client connection.

If you want to record the remote port, here's the source code modification for Apache 2.0. All of the changes are made in modules/loggers/mod_log_config.c in the source distribution.

Find the function definition for log_remote_address. Add the following function after it:

 * log_remote_port patch

static const char *log_remote_port(request_rec *r, char *a)
        apr_port_t rport;
        apr_sockaddr_port_get(&rport, r->connection->remote_addr);
        return apr_itoa(r->pool, rport);

In layman's terms, the function sets up a variable to hold the port number, which we obtain from a sockaddr_in structure, and then convert it into a string to return.

Next, find a function called log_pre_config at the end of the file. We need to insert two lines into that function to register the function we just wrote.

static int log_pre_config(apr_pool_t *p, apr_pool_t *plog, apr_pool_t *ptemp)
        log_pfn_register(p, "s", log_status, 1);
        /* log_remote_port patch */
        log_pfn_register(p, "S", log_remote_port, 0);
    return OK

Save the code changes, then recompile Apache.

What Not to Log

At this point there are 14 fields in our log file format, which is getting pretty close to the limits of readability. Before considering making the format bigger, let's consider what doesn't need to be logged.

A lot of data in the combined log file format is client supplied, which means our log analysis depends on a client being truthful. The HTTP username, ident username, HTTP referrer, and user agent strings all come from data sent from the client. For example, some robots pretend that they are really a web browser, so you can't tell when your site is being spidered. It's difficult to verify this data, so it's best to ignore it.

Keep logging the data in the combined log file format. If you need to refer to the data at a later time, it shouldn't be too difficult to match a Blackbox log entry to a combined log entry.

Putting it Together

The following is the configuration syntax for the Blackbox log format. It's designed to group similar directives together and still be readable when using the tail command.

Apache 2.0 Configuration

# Blackbox log format
<IfModule mod_logio.c>
LogFormat "%a/%S %X %t \"%r\" %s/%>s %{pid}P/%{tid}P %T/%D %I/%O/%B" blackbox

<IfModule !mod_logio.c>
LogFormat "%a/%S %X %t \"%r\" %s/%>s %{pid}P/%{tid}P %T/%D 0/0/%B" blackbox

CustomLog /var/opt/apache2/logs/blackbox blackbox

Apache 1.3 Configuration

# Blackbox log format
LogFormat "%a/%S %c %t \"%r\" %s/%>s %P/0 %T/0 0/0/%B" blackbox
CustomLog /var/opt/apache/logs/blackbox blackbox

If you decide not to use the remote port logging patch, replace %S with 0, otherwise Apache will refuse to run.

The formats above include all of the directives to log and still provide a cross-compatibility between the Apache 1.3 and 2.0 server releases. Even though 1.3 does not support threading or newer 2.0 logging directives, any parsing script will work with both versions.

Once the directives are in place, restart Apache. You will need to modify whatever scripts you use for log file rotation to take the Blackbox log file into account. You might want to consider retaining at least 10 days of logging data for your records.

Pages: 1, 2, 3, 4

Next Pagearrow