Forensic Logging Module for Apache

by Jacco Tünnissen

Related link: http://httpd.apache.org/docs/mod/mod_log_forensic.html



Apache version 1.3.31*) now comes with a special module for forensic logging of requests made to the server.



The module is called mod_log_forensic and is able to log client requests before and after processing the request, so you get two log lines for each request. Each log entry gets a unique ID (or "token") which can be associated with the request using the normal CustomLog directive.




* Relate the forensic log to the transfer log by including
* %{forensic-id}n in the custom log format, for example:
* CustomLog logs/custom "%h %l %u %t \"%r\" %>s %b %{forensic-id}n"



If data cannot be written to the forensics logfile, the child process exits immediately and may dump core.



For analyzing the forensic logs created by this module, a special check_forensic script is included in the Apache source distribution (see: src/support/check_forensic). This script takes as its argument the name of the logfile and complains if a request was not completed.



The idea for this module came from Tina Bird; the code was written by Ben Laurie.



*) Apache 1.3.30 was not released.