access_log aways empty for default httpd.conf

LawsHosting

Verified User
Joined
Sep 13, 2008
Messages
2,367
Location
London UK
Is this normal?:
server1:/var/log/httpd# ls -l
total 768
-rw-r--r-- 1 root root 0 2008-11-30 06:25 access_log
-rw-r--r-- 1 root root 0 2008-11-23 06:25 access_log.1
-rw-r--r-- 1 root root 0 2008-11-16 06:25 access_log.2
-rw-r--r-- 1 root root 0 2008-11-09 06:25 access_log.3
-rw-r--r-- 1 root root 0 2008-11-02 06:25 access_log.4
Like, myphpadmin stuff would be logged wouldnt it not? Also, I know the I.P has hits, and hits from exploit scanners, as the error_log stats this....

Any ideas?
 
Are you sure that that is the right log file. Maybe the stuff is being logged somewhere else.
 
it points to /etc/httpd/logs/ which symlink's to /var/log/httpd/:
ErrorLog logs/error_log
LogLevel warn
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent
LogFormat "%b" bytes
CustomLog logs/access_log combined

Strange how the error log is fine.....
 
Peter, did you ever get this solved? I'm having the same problem and for the life of me cannot figure out what could be wrong. All settings are as they should be and Apache was logging just fine to access_log until 18th of February.
 
I gave up, but it (the httpd.conf) could be using a completely different log as opposed to the defined CustomLog? :confused:

Not that it matters but it would be useful to see the hack attempts captured for proof.
 
Mystery solved. Everything was working as it should, but I didn't understand DA's way of doing it.

When you access an IP directly, it gets logged to /var/log/httpd/homedir.log if the IP has an "owner" in DA. If it has no owner, the hits are logged to /var/log/httpd/access_log.

What happened on this particular server on 18th of February was that the last free IP was assigned to a user, thus no more entries in access_log.

As Peter pointed out, access_log has been a good source of information, since many attacks are targeted against IPs, not domain names. I have fail2ban set up to monitor access_log, so naturally I need to have the source IP logged for possible banning. Homedir.log doesn't provide this information.

So, I copied ips_virtual_host.conf template to the custom directory and added a new logging directive after the existing entry for homedir.log:

CustomLog /var/log/httpd/homedir.log homedir
CustomLog /var/log/httpd/access_log combined
Then I told DA to rewrite ips.conf:

echo "action=rewrite&value=ips" >> /usr/local/directadmin/data/task.queue
/usr/local/directadmin/dataskq d

Now I'm getting the entries I want in access_log for all the IPs that have VirtualHosts set up in ips.conf and homedir.log continues to serve the purpose it was set up for.

Please note that VirtualHost entry for the server IP is set up in httpd.conf template, not in ips_virtual_host.conf template.
 
Back
Top