Forensic Logging Module for Apache

by Jacco Tünnissen

Related link:

Apache version 1.3.31*) now comes with a special module for forensic logging of requests made to the server.

The module is called mod_log_forensic and is able to log client requests before and after processing the request, so you get two log lines for each request. Each log entry gets a unique ID (or "token") which can be associated with the request using the normal CustomLog directive.

* Relate the forensic log to the transfer log by including
* %{forensic-id}n in the custom log format, for example:
* CustomLog logs/custom "%h %l %u %t \"%r\" %>s %b %{forensic-id}n"

If data cannot be written to the forensics logfile, the child process exits immediately and may dump core.

For analyzing the forensic logs created by this module, a special check_forensic script is included in the Apache source distribution (see: src/support/check_forensic). This script takes as its argument the name of the logfile and complains if a request was not completed.

The idea for this module came from Tina Bird; the code was written by Ben Laurie.

*) Apache 1.3.30 was not released.