Obtain source IPs in Web Server logs

Similar Messages

• Cannot view web server logs in Server Admin

  It has been a terrible day.
  First, the interesting part:
  I woke up to find that 25 sites that are hosted on an XServe G5 running OS X Server 10.3.9 had been defaced. As the part-time, unpaid admin of this server, it was my responsibility to track down the vulnerability in the system and restore the defaced files from backups. The hacker had replaced the index.html file for each of the sites with his own, special version, in which he proudly declared that my server had been owned. I did a Nessus scan of the server and came up with nothing. I pulled what was left of my hair out looking for every vulnerability I could come up with, and still nothing.
  I then decided to use Google to get more information about him, using the name he proudly posted on the defaced sites, and was able to get his IM address. I proceeded to have an awkwardly pleasant conversation with him, in which he declared that he has discovered a new vulnerability and decided to try it out on my machine for the challenge. He apologized, but would not reveal the vulnerability (although he hinted that it had something to do with mod_security). He also promised to leave my machine alone now ....
  (Now for the not so interesting part, and the nature of my current problem)
  Anyway, I did what I could to clean up the mess, and wound up viewing the access logs in the Console app via ARD. That led me nowhere, so I decided to call it a night and logged out of ARD. A few minutes later, I thought I would log into ServerAdmin and take another look at those logs, but alas, they could no longer be viewed through ServerAdmin! The log section is empty. I ssh'd into the machine to see if he had broken his promise and messed around some more, but the logs still existed where they had always been. I ran tail -f on them to make sure they are still being updated, and they are.
  So after all that, it seems my big problem at the moment is viewing logs in ServerAdmin. I did not make any changes to httpd.conf (outside of disabling mod_security, which commented out the appropriate LoadModule and AddModule lines). I also disabled a few other unnecessary mods earlier in the evening via ServerAdmin, but I doubt that any particular mod controls whether or not I can view log files in ServerAdmin.
  I apologize for the length of this post, but it has been quite a day. If anyone can provide any clues as to either the location of error logs for the ServerAdmin app or any sort of known resolution to this issue, I would name my first born after you.
  Thanks.
  XServe G5   Mac OS X (10.3.9)  

  skvaish1 wrote:
  What purpose you will solve by loading the web server logs into the database? I will not advice it. It will be much easier for you to manage these logs at file system level as well monitor these for any issues, rather than loading it into database and then running sone database job to dig into those logs for any errors. Loading logs into database will help if you need to keep them for long time (More than 1 Year time frame or for regulatory purpose), otherwise it is better for logs to keep it on file system and just get regular backups of these logs into tape.
  My 2 cents
  RegardsOverall, I agree but I don't understand your comment about "Loading logs into database will help if you need to keep them for long time". Even if needed for regulatory reasons, one can manage them quite nicely outside of the database.
  Also to expand on this a bit for the OP .... if the need arose to use SQL to mine the logs for information that would be hard to get using the search feature of a simple text editor, one could always define an external table on an as-needed basis.

• Web server log files under LabVIEW RT

  Hello,
  Is there any log files for the web server under LabVIEW RT running on a PXI?  The log file checkbox is disable in the target options.
  Also, is there a way to find out if the web server is running on the target?
  I'm asking the question because I can't access anymore a remote panel (and even the root of the web server) on my PXI.  I reinstall everything and I still have the issue.  I'm pretty sure that IT changes some network settings but they say no.  I need to validate that everything is working on my side before before taking further action.
  Thanks,
  Patrick

  Hi Patrick, 
  I would suggest having the log file checkbox enabled in the target options.  That should show if errors are occurring while it is running. Are you running remote front panels and web services, or just remote front panels?
  Can you provide a picture of all the software you have installed on your PXI?  You should be able to find this in MAX under the PXI in Remote Systems.
  Scott A
  SSP Product Manager
  National Instruments

• Web server logging

  In Labview 8.6 real-time projects, when i go to "Web server: configuration" page of target properties, the "Use log file" checkbox is grayed and unselectable. But it wasn't with Labview 8.2 on same target. Why can't i enable logging? Everything else is working fine

  In 8.6 a new, third party, web server was included in LabVIEW in place of the old internal web server. As we were selecting the features to include in our build of the new web server, we decided that including logging by default on RT targets would be a bad idea because it would consume valuable disc space and the user may not know why.
  This was a mistake and will be fixed in a future version of LabVIEW.

• Published Flash module and 404 errors in the web server log

  I’ve created a Presenter module, published it to my computer, and uploaded all the files to a web server. And it plays fine via the web.
  The odd thing is a bunch of 404 errors in the web log:
  10.1.2.104 - - [29/Jul/2009:10:36:00 -0700] "GET /repository/university/courses/3/flash/data/spk10821.1.jpg HTTP/1.1" 404 255 "-" 1166 419
  10.1.2.104 - - [29/Jul/2009:10:36:29 -0700] "GET /repository/university/courses/3/flash/data/spk10821.1.jpg HTTP/1.1" 404 255 "-" 1166 419
  10.1.2.104 - - [29/Jul/2009:10:36:57 -0700] "GET /repository/university/courses/3/flash/data/spk10821.1.jpg HTTP/1.1" 404 255 "-" 1166 419
  In the data directory there is a file named spk10821.jpg that was generated by Presenter. The image is actually the presenter bio photo that would normally show up in the sidebar -- but no photo is there. The browser never requests the valid spk10821.jpg file, only the non-existent spk10821.1.jpg path.
  Anybody know why this would be happening? I see in data/viewer.xml there is a tag for <image>spk10821.1.jpg</image> but I don’t know why Presenter would mention that file in the XML but generate a differently-named one in the publish folder.
  I’m wondering if I should have the web server rewrite requests with the ".1.jpg" ending to get rid of the ".1" part so they will work.
  By the way, this is with PowerPoint 2003 SP3 and Presenter 7.0.1.

  Hi Daniel,
  I am assuming that you are using Visual Studio 2010 to target the .Net framework 4.0
  Crystal Reports 2008 is not compatible with VS 2010. Use [Crystal Reports for Visual Studio 2010|Crystal Reports for Visual Studio 2010 Production Release Now AvailableCystlR%2528SAPWeblogs%253ACrystal+Reports%2529] to target .Net framework 4.0.
  Deploy the application using the methods specified in the 'Deployment' section of the [CR for VS 2010 .Net SDK developer guide|http://help.sap.com/businessobject/product_guides/sapCRVS2010/en/crnet_dg_2010_en.zip].
  See if you can reproduce the issue after redeploying the application as mentioned above.
  Few questions-
  - Is it the dev machine or production machine causing the issue?
  - OS version?
  - What does the application do? i.e. view, export, print report?
  - Issue is with some reports or all the reports.
  See if there is an image on the report, remove the image and add it as a picture object ' Insert --> Picture' from the CR designer.
  Hope this helps,
  Bhushan.

• Web server log not show byte transfer for php

  I added php module to iWS 6.0 it work fine but access log not show byte transfer information for php. How can I do?

  The iPlanet Web Server 6.0 access log does not report the number of bytes sent by plugins unless the plugin explicitly sets the Content-length: header. Sun ONE Web Server 6.1 is the first version of Web Server that always reports the number of bytes sent, even if the plugin neglects to set a Content-length: header.

• Debug information "Unknown Source" on Tomcat 6 server log

  I install a Tomcat 6. When I run my application, the runtime exceptions debug on Tomcat server log did show any line number. It make me difficult to find the bug.
  Can anyone tell me why the exception debug info don't show line number instead od "Unknown Source" when I use Tomcat 6? The debug information like:
  java.lang.NullPointerException
  at com.xxx.xxx.MailServlet.process(Unknown Source)
  at com.xxx.xxx.MailServlet..doPost(Unknown Source)
  at org.apache.catalina.xxxxxx
  Actully it is common runtime error. Do I need confiugrate Tomcat 6 for that and I can see the excat line number?

  key being to turn debug="true" on (javac -g ?) when you are compiling

• Disabling logging of HEAD request in HTTP web server logs

  Hi,
  I would like to stop the logging of HEAD requests in my HTTP server logs. I was thinking of using the Rewrite rule, however, there may be a more direct way of doing this. Is there a configuration setting within HTTP Server to do this?
  I'm using WebTier component of Weblogic 10.3.2.
  Thanks,

  I found the solution to disable HEAD requests.
  Edited by: WallyP on Mar 11, 2010 12:24 PM

• OS X Web Server log

  Hello,
  I would like to install mod_jk (1.2.40) on OS X Server (10.10.2), Server(4.0.3)
  I compiled mod_jk succesfully
  After I add configure for mod_jk
  LoadModule jk_module libexec/apache2/mod_jk.so
  JkWorkersFile /private/etc/apache2/workers.properties
  JkShmFile /var/log/apache2/mod_jk.shm
  JkLogFile /var/log/apache2/mod_jk.log
  JkLogLevel debug
  JkMount /project/* router
  and apache restart
  But the apache didn't start.
  Also I cound not find any message in /var/log/apache2/error_log file.
  Is there any one sucessfully installed the mod_jk on OS X Server ?
  Thanks,
  Youngho

  Apple use non-standard files and locations to store the Apache2 settings if you have Server.app installed. The main equivalent to the standard httpd.conf file is instead stored as -
  /Library/Server/Web/Config/apache2/httpd_server_app.conf
  This file contains a list of which Apache2 modules to load and where they should be loaded from. The standard location for modules is /usr/libexec/apache2 but the standard modules use a relative path of just libexec/apache2/ if you want to add your own modules I suggest you use a full path e.g. /usr/local/mymodule

• Change web server log timestamp to SQLServer timestamp

  The format of a log entry in Apache web log is
  [10/Oct/2000:13:55:36 -0700]
  Is there a more elegant way to convert this string into an SQL Server datetime than this:
  declare @ts char(28);
  set @ts = '[10/Oct/2000:13:55:36 -0700]';
  select dateadd(hour,
  convert(int, substring(@ts,22,3)),
  convert(datetime2(0),
  substring(@ts,2,11)+' '+
  substring(@ts,14,8)+':000',
  113) ) ;

  Hi LauriP,
  If all the timestamps are in that fixed format, the most elegant way is to  concatenate the known length datepart and timepart and cast the concatenated string to a DATE type.
  declare @ts char(28);
  set @ts = '[10/Oct/2000:13:55:36 -0700]';
  SELECT CAST(SUBSTRING(@ts,2,11)+' '+SUBSTRING(@ts,14,8) AS DATETIME2(0))--OR
  SELECT CAST(SUBSTRING(@ts,2,CHARINDEX(':',@ts)-2)+' '+SUBSTRING(@ts,CHARINDEX(':',@ts)+1,8) AS DATETIME2(0))
  If you have any question, feel free to let me know.
  Eric Zhang
  TechNet Community Support

• Need Help - IIS Web Server Log Files

  Hi - We run a java applet on our web site and it runs fine. The problem is that in our log files we get hammered with this 404 error all the time.
  Can't find ConsultScrollBeanInfo.class
  The software maker says it is a bug with Java 2 SDK.
  If this is true, is there a fix so that IIS log files wont pick this up any more?
  Thanks!

  Hi Patrick, 
  I would suggest having the log file checkbox enabled in the target options.  That should show if errors are occurring while it is running. Are you running remote front panels and web services, or just remote front panels?
  Can you provide a picture of all the software you have installed on your PXI?  You should be able to find this in MAX under the PXI in Remote Systems.
  Scott A
  SSP Product Manager
  National Instruments

• Need Help to Prevent DDOS at application layer to protect Web server ?

  Please guide the solutions for DDOS attack. I am facing this attack and after some investigation I  found some details what is up against me
  Here are some details of the attack which is most similar in my situation.
  In considering the ramifications of a slow denial of service attack  against particular services, rather than flooding networks, a concept  emerged that would allow a single machine to take down another machine's  web server with minimal bandwidth and side effects on unrelated  services and ports.  The ideal situation for many denial of service  attacks is where all other services remain intact but the webserver  itself is completely inaccessible.  Slowloris was born from this  concept, and is therefore relatively very stealthy compared to most  flooding tools.
  Slowloris holds connections open by sending partial HTTP requests.   It continues to send subsequent headers at regular intervals to keep the  sockets from closing.  In this way webservers can be quickly tied up.   In particular, servers that have threading will tend to be vulnerable,  by virtue of the fact that they attempt to limit the amount of threading  they'll allow.  Slowloris must wait for all the sockets to become  available before it's successful at consuming them, so if it's a high  traffic website, it may take a while for the site to free up it's  sockets.  So while you may be unable to see the website from your  vantage point, others may still be able to see it until all sockets are  freed by them and consumed by Slowloris.  This is because other users of  the system must finish their requests before the sockets become  available for Slowloris to consume.  If others re-initiate their  connections in that brief time-period they'll still be able to see the  site.  So it's a bit of a race condition, but one that Slowloris will  eventually always win - and sooner than later.
  Slowloris also has a few stealth features built into it.  Firstly, it  can be changed to send different host headers, if your target is a  virtual host and logs are stored seperately per virtual host.  But most  importantly, while the attack is underway, the log file won't be written  until the request is completed.  So you can keep a server down for  minutes at a time without a single log file entry showing up to warn  someone who might watching in that instant.  Of course once your attack  stops or once the session gets shut down there will be several hundred  400 errors in the web server logs.  That's unavoidable as Slowloris sits  today, although it may be possible to turn them into 200 OK messages  instead by completing a valid request, but Slowloris doesn't yet do  that.
  Please suggest any solutions with product that can help to prevent this problem with some guidance of the feature of that product to specifically prevent this type of attack. I already a many cisco devices like ASA, IPS, Cisco guard etc. just need some guidance
  An early response requested and it will be highly appreciated.

  Hello Haseen
  Any tool will have some sort of trend/chracterstic that can be used to filter or throttle it out. Take skype for an example; even with all its complexity vendors managed to find days to detect it on the network and take corrective actions. However its always a catch-up game, developers continually work to make their applications or protocols more stealthy and the vendors have to keep up with this challenge.
  So you would need to understand this trend/chracterstic of the attack, and then filter out using an access control mechanism, IMHO the most appropriate would be a web application firewall (WAF), Cisco used to have one but I think it is EOS soon:
  http://www.cisco.com/en/US/products/ps9586/index.html
  F5 Networks have their ASM module:
  http://www.f5.com/products/big-ip/application-security-manager.html
  Other vendors also have some good tools.
  Please rate if you find the applications helpful.
  Regards
  Farrukh

• Iplanet  web server 7 -how to get more information when a certificate is untrusted ?

  Hi
  When a client tries to access to iplanet 7.0.15, we only get a line in the errors log with a simple error., for instance SSL_ERROR_UNKOWN_CA_ALERT...
  We would like to know if it is possible to configure iplanet to get more information about this request..
  iPLANET is receiving requests from a lot of clients and sometime it is difficult to identify the source of a error without more information..
  We would like have similar information that access log shows when certificate is valid
  We get the same information with log-level = info or finest..
  Thanks
  Uge

  Hi Uge,
  Setting the iPlanet Web Server log level to 'finest' will give you more information, but it is very verbose, and you still might not get the information you are looking for. You might want to try 'fine' or 'finer' first to see if either of those gives you the information you  need.
  With regards to the above error, SSL_ERROR_UNKOWN_CA_ALERT, this means that the client presented a certificate in the SSL handshake that was signed by a CA that the Web Server doesn't have in it's certificate database. In order to ensure the Web Server is kept upto date with the latest set of public CA certificates, I would recommend you upgrade to the latest version.
  If you know that the certificates the clients are using are from an internal CA, you need to ensure the Root CA Certificate from that internal CA is installed in the Web Servers certificate database as a trusted certificate.
  regards
  Tracey

• Unable to connect servlet on web server

  Hi all,
  I have wrote the following program to connect to the servlet to the web server:
  public class HTTPTest
       public HTTPTest() {
  public static void main(String[] args) {
       HTTPTest httptest = new HTTPTest();
            httptest.sendHTTP();
  public void sendHTTP() {          
            try
                 URL url = new URL("http://myserver/myServlet");
                 HttpURLConnection conn = (HttpURLConnection)url.openConnection();
                 conn.setDoOutput(true);
                 conn.setRequestMethod("POST");
                 conn.setRequestProperty("Content-type", "application/x-www-form-urlencoded");
                 PrintWriter dos = new PrintWriter (conn.getOutputStream ());
                 dos.println("content=" + URLEncoder.encode("ABC"));
                 dos.println("signature=" + URLEncoder.encode("CDE"));
                 dos.flush();
                 dos.close();
                 conn.disconnect();
            catch(Exception e)
  My servlet does contains some code that write log to the web server log. However, when I examine the log after running this program, nothing was written. But when I access my servlet using an HTML page, it works!
  I am using iPlanet 4.0 SP4, JDK 1.3. Can anyone tell me why? thanks very much!
  Walter

  Thanks very much! It works.
  However, another problem comes. For the two fields that I "POST"ed, it seems that one can reach the servlet but one cannot. When I retrieve the values from the servlet using "req.getParameter("XXX")", one of them got null. But obviously my applet does not send null values.
  Any other thing is needed? Thanks!

• 404 errors from Mavericks web server

  Running Mavericks server in VirtualBox while I come up with a checklist for implementing WordPress on a Mac mini next week. Running into strange 404 errors that I'm not familiar with.
  1) Turned on web server and PHP. Localhost opens the default web page just fine.
  2) Tried installing PHPmyadmin. Got 404 errors attempting to access any files in that directory.
  3) Moved the default index.html.en into a folder named osxs. Got 404 errors trying to access those files. HOWEVER, localhost still finds that page in the root directory, which it shouldn't.
  4) Moved WordPress default files into root folder. Localhost still shows default OSXS page.
  Is there a cache that needs to be refreshed? I've tried turning Apache off and on again, with no luck.
  Thanks,
  Jeff

  I'm going to guess you're reading some directions for an older OS X release, or for OS X client and not OS X Server.
  404 is "not found".  That'll usually show up in the Apache logs, including the requested (failed) path.  When maintaining and particularly troubleshooting a web server, you'll always be reading the server logs and the web server logs.
  If you've not already done so, use Server.app to create a web site underneath /library/server/web/data/sites and load your content management system there.  Don't create that directory elsewhere.  Keep it in that path.  At least not yet.  (Apache intentionally doesn't allow folks to navigate random parts of the file system.)
  OS X Server requires functional DNS, as well.  To verify that, launch Terminal.app from Applications > Utilities and issue the following harmless diagnostic command:
  sudo changeip -checkhostname
  That'll require an administrative password, might show a one-time informational message around the use of sudo, and will then display some network information and then an indication that no changes are required, or that there are DNS or network problems. 
  Do not use .local nor .arpa as your domain.