AwStats plugin for DA [Still in BETA]

Hi all,

The awstats plugin doesn't delete the /etc/awstats directory!
As stated in a previous post, there was a upgrade that the www.[domain].com isn't used anymore and is replaced by [domain].com

This would result in:

config files awstats.www.[domain].com.conf as awstats.[domain].com.conf and the HISTORY files awstats.www.[domain].com.txt to awstats.[domain].com.txt

So if you would like to have you're old history you should as stated had moved to txt files to the correct new ones.

The install process/update process DOESN'T affect the /etc/awstats dir, it only creates it if it doesn't exists.


For the null visitor days, this is very odd as almost ALL statistics packages keep their own HISTORY files and NEVER removes/purges the log files.

Read the first post about alldomains.php and awstats_updateall.pl

the last one updates your statistics for all domains and the first one installs awstats on all your domains.

So my conclusion is:

- Awstats plugin doesn't have a bug that removes/clears /etc/awstats check the install.sh in the plugin dir under scripts.

- Awstats or any other package DOESN'T purge the apache log files! It could be some logrotation issue!
 
I can vouch and say none of the above 2 bugs have affected me so it isnt a global bug.
 
I've run into a bit of a problem. I noticed the /etc/awstats directory is writable by anyone. This causes a major security flaw as anyone can copy a file there and execute it. Same issue people runinto with the /tmp directory. This is a problem that needs correction, I'm not sure if this is an awstats issue or a issue with the plugin.

The only solution I came up with is to move it to a noexec mounted partition.
 
Major security flaw ? No. A users home dir is executable too so he could move whatever he wants there, same as /tmp and multiple other dirs. This dir only holds some data for the stats. So no flaw here.


If you don't want it writable by others than set it to don't. I will change this in next release to remove the "x" rights if 'I've tested it first. In the previous releases it went completly wrong on that, but maybe now not anymore.
 
Well, saying major may be an overstatement. But it is a security flaw. I had an issue with a users account being comprimised, the hacker then would put stuff in the awstats directory (namely a irc server) and run it from there. In a situation like this its impossible to tell who put it there. In a case where its in the home directory its much easyer to find who's account it is causing the trouble. I have a policy now to put all write enabled directories on a noexec,nosuid,nodev mounted partition.

What I'm saying is it should be in each users home directory, this way permisions could be set to only the owner, and would not only prevent events described above but also chances of a user deleting or modifying anothers stats.

Also, as far as I can tell it needs to be writable as files are written by the user when it is setup afiak. You would need to manually setup all the files.
 
Ok I understand and yes it is a security factor in default setups. DA's setup like: php/apache doesn't allow users to x'ecute outside their home dir. If you're saying a hacker who hacks into your machine. They can find millions of ways to have execute rights when they have SSH access. Chroot and jails work fine but stil aren't strong enough.

I will as I said change this. But considering it as a security flaw no why? check you /bin dir or your /usr/bin dir. these are all executable just as /etc/awstats

I will remove the "write" bit for others on the dir as this is the only real flaw.
 
The next release 2.0 has some minor updates still open:

- Security issue as described above removing the 'x' bit from /etc/awstats

- Minor changes in alldomains.php to set the correct permissions the same way as the web-installer in control panel

These will eventualy be corrected (about 1 week) and I can then call that it is out of Beta. Probaly there will always be some issues on some systems, but I will try to correct those in time.
 
Do you have any plans to make awstats an optional feature? That is to say I can assign it to some hosting plans and not others, like installatron?
 
The link will always appear, so there should be php support by DA for plugin links. When this is done, there will be an extra option on admin level to assign it to it's resellers and on reseller level to it's users. This feature is already implemented but can't be functional till the next release of DA version (ETA 10 Dec.)

I will probaly wait till this day until I release 2.0 ;)
 
I just had to reply and say that I installed this, and it's incredibly WONDERFUL!

Also, I've noticed that multiple times, you've told people to change the base awstats.none.conf file to have "EnableLockForUpdate=0" instead of "EnableLockForUpdate=1" and then to reinstall - either that, or edit all conf files by hand. Here's a quicker little one-line Perl fix that's incredibly useful. You still have to make the change to awstats.none.conf, since it's not in /etc/awstats, but this will clean up all previous installed configs.

Code: 
cd /etc/awstats && perl -pi.bak -e 's/EnableLockForUpdate=1/EnableLockForUpdate=0/g' awstats.*.conf

That will go through all of the files that match awstats.*.conf and change the 1 to 0. No need to reinstall for a simple change like that. It also creates backups in the format of awstats.domain.com.conf.bak - which can be easily cleared out with a `rm awstats.*.bak` You can use it with simple obvious modifications to change any other options throughout all the conf files.

This plugin makes me so happy. Thanks for the great work on it!
 
Another question:

If I have about 300 domains with AWSTATS plugin installed, it will increase my server load?

Thank's for any help....
 
for anyone who is interested here is the awstats configuration changes I made.

DebugMessages=0
LevelForWormsDetection=1
ShowWormsStats=1
LoadPlugin="tooltips"
LoadPlugin="hashfiles"
# Perl modules required: Storable for hashfiles
EnableLockForUpdate=0
AllowToUpdateStatsFromBrowser=0

I crontab it once a day to update all domains.
 
alex2k said:
Another question:

If I have about 300 domains with AWSTATS plugin installed, it will increase my server load?

Thank's for any help....
Click to expand...

Awstats is normaly very low recource consuming. But the more plugins (awstats plugins) you activate the higher it's load will be.

My standard configuration doesn't use GeoIPFree this will increase load a lot. It does has lookups on IP's, but this is normaly done by apache, but I disabled it so the plugin does this. as this will increase load like much other things. If it takes a huge load you could define you setup in 2 ways depending on the usage:

- Update through browser (If sites are small and has not many hits or stats aren't very much visited, only cron on logratate as set in the first post of this thread)

- Cronjob nightly for all domains (Stats are visited daily or site has very much hits)

It just depends on the way you use awstats.
 
Is there any configuration change I can make to the default config that will make awstats show query strings? Thanks to Vandal, I now have Coldfusion running and my clients are asking for this ability..
 
davidb said:
Is there any configuration change I can make to the default config that will make awstats show query strings? Thanks to Vandal, I now have Coldfusion running and my clients are asking for this ability..
Click to expand...

What's the need for this ? Showing query strings ? :) Don't really understand what you want :p
 
I have a developer using cf on my system hosting multiple sites through a CF content management/business management system he developed. In order to get meaningful stats, it is sometimes necessary to capture the information after the ? on a URL and perform statistics analysis with the full URL instead of truncating at the ?..
 
Ok I understand and yes this is possible. For global configuration you can change the awstats.none.conf in the hooks/cgi-bin/ dir or change the specific awstats.[domain].conf in the /etc/awstats dir.

The option to change (resource awstats.org):

URLWithQuery
Version : 3.2+

# Keep or remove the query string to the URL in the statistics for individual
# pages. This is primarily used to differentiate between the URLs of dynamic
# pages. If set to 1, mypage.html?id=x and mypage.html?id=y are counted as two
# different pages.
# Warning, when set to 1, memory required to run AWStats is dramatically
# increased if you have a lot of changing URLs (for example URLs with a random
# id inside). Such web sites should not set this option to 1 or use seriously
# the next parameter URLWithQueryWithoutFollowingParameters.
# Possible values:
# 0 - URLs are cleaned from the query string (ie: "/mypage.html")
# 1 - Full URL with query string is used (ie: "/mypage.html?p=x&q=y")
# Default: 0
#
URLWithQuery=0


Tune the query:

http://awstats.sourceforge.net/docs/awstats_config.html#URLWithQueryWithOnlyFollowingParameters


Let me know if it works :) never used it before!
 
Works Great! It would be awesome if we could add the ability to turn this on and off to the tune awstats area.

parameter tuning would also be cool.

Thanks for the assist and for the great plugin!
 
You must log in or register to reply here.
Back
Top