I have set up a log "environment" which sends different "stuff" into different logfiles:
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common
LogFormat "%h %l %u %t \"%r\" %s %>s %b \"%{worm}e\" \"%{Referer}i\" \"%{User-Agent}i\"" worm
# Worm calls are handled separately
# check for a worm call
<IfModule mod_setenvif.c>
SetEnv envlog log
SetEnvIf Request_URI "default\.ida" dontlog worm=CodeRed
SetEnvIf Request_URI "cmd\.exe" dontlog worm=Nimda,CodeRed
SetEnvIf Request_URI "shell\.exe" dontlog worm=Nimda,CodeRed,(Indy Library-back orifice?)
SetEnvIf Request_URI "root\.exe" dontlog worm=Nimda
SetEnvIf Request_URI "Admin\.dll" dontlog worm=Nimda
SetEnvIf Request_URI "nsiislog\.dll" dontlog worm=IIS vulnerability
SetEnvIf Request_URI "robots\.txt" dontlog
</IfModule>
ErrorLog logs/web1.error.log
CustomLog logs/web1.referrals.log combined
CustomLog logs/web1.access.log common env=!dontlog
<IfModule mod_setenvif.c>
SetEnvIf Request_URI "default\.ida" wormlog worm=CodeRed
SetEnvIf Request_URI "cmd\.exe" wormlog worm=Nimda,CodeRed
SetEnvIf Request_URI "shell\.exe" wormlog worm=Nimda,CodeRed,(Indy Library-back orifice?)
SetEnvIf Request_URI "root\.exe" wormlog worm=Nimda
SetEnvIf Request_URI "Admin\.dll" wormlog worm=Nimda
SetEnvIf Request_URI "nsiislog\.dll" wormlog worm=IIS vulnerability
SetEnvIf Request_URI "robots\.txt" robotlog
</IfModule>
CustomLog logs/peg_seti.robots.log combined env=robotlog
CustomLog logs/peg_seti.worm.log worm env=wormlog
Thus far everything works purrfectly, but now I added a "deny" to certain hosts.
I want to log them into a different logfile "logs/web1.denied.log" and keep them
from appearing in my "referrals" and "access" logs.
Is there a way to check the return-status 403 in httpd.conf?
something like
SetEnvIf return-status "403" denied
looking through the docs, I can't find anything helpful.
pointers or help are greatly appreciated.
--
Robi
FAQ
Profile
Private Messages
Log in
