Apache module mod_log_forensic

Module mod_log_forensic

This module provides for forensic logging of the requests made to the





Available in

Version 1.3.30 and later.


This module provides for forensic logging of client

requests. Logging is done before and after processing a request, so the

forensic log contains two log lines for each request.

The forensic logger is very strict, which means:

The check_forensic script, which can be found in the

distribution’s support directory, may be helpful in evaluating the

forensic log output.

See also: .


Each request is logged two times. The first time before it’s

processed further (that is, after receiving the headers). The second log

entry is written after the request processing at the same time

where normal logging occurs.

In order to identify each request, a unique request ID is assigned.

This forensic ID can be cross logged in the normal transfer log using the

%{forensic-id}n format string. If you’re using

, its generated

ID will be used.

The first line logs the forensic ID, the request line and all received

headers, separated by pipe characters (|). A sample line

looks like the following (all on one line):

+yQtJf8CoAB4AAFNXBIEAAAAA|GET /manual/de/images/down.gif

HTTP/1.1|Host:localhost%3a8080|User-Agent:Mozilla/5.0 (X11;

U; Linux i686; en-US; rv%3a1.6) Gecko/20040216

Firefox/0.8|Accept:image/png, etc…

The plus character at the beginning indicates that this is first log

line of this request. The second line just contains a minus character and

the id again:


The check_forensic script takes as its argument the name

of the logfile. It looks for those +/- ID pairs

and complains if a request was not completed.

Security Considerations

See the

document for details on why your security could be compromised

if the directory where logfiles are stored is writable by

anyone other than the user that starts the server.




server config, virtual




in Version 1.3.30 and above

The ForensicLog directive is used to

log requests to the server for forensic analysis. Each log entry

is assigned unique ID which can be associated with the request

using the normal

directive. mod_log_forensic creates a token called

forensic-id, which can be added to the transfer log

using the %{forensic-id}n format string.

The argument, which specifies the location to which

the logs will be written, can take one of the following two

types of values:


A filename, relative to the .


The pipe character “|”, followed by the path

to a program to receive the log information on its standard

input. Security: if a program is used, then

it will be run as the user who started httpd. This will be

root if the server was started by root; be sure that the

program is secure.

Leave a Reply

Your email address will not be published.