splitlogs.conf file does not exist in the stated location
Hello-
I have a CL8 WHM/Cpanel server and I wish to customize my apache access logs so that it shows the full requested URL for each request instead of the relative path. In order to do this, it appears I have to modify the "splitlogs.conf" file on my system.
The cpanel documentation states this file should exist at `/var/cpanel/conf/splitlogs.conf` per this page: https://docs.cpanel.net/knowledge-base/web-services/the-splitlogs-binary/#:~:text=each%20splitlogs%20instance.-,The%20splitlogs%20configuration%20file,conf%20file.
On my server, that directory does not have any files inside it. There are several sub directories:
Inside the apache directory, there is only one file named: primary_virtual_hosts.conf - This does not appear to be the file I need.
Am I intended to create this file from scratch in this case? Or is the documentation outdated?
If I am intended to create it from scratch, where can I get a starting file so that I can ensure the settings all stay the same? Save for the only modification I wanted to make...
-
Does no one actually know the answer to this question? I really thought this was going to be a pretty straight forward "pitch and catch"...
0 -
Hey there! That's correct - feel free to create that file and rebuild Apache and it will get read into the configuration.
0 -
I don't think you understood (or fully processed what I posted) based on your response...
I mentioned that there is nothing I can find in your docs (or anywhere else on the internet for that matter) that provides an example of what a splitlogs.conf file might look like so I have no idea what to even put in this file or what the syntax even looks like. There is no man page on the system for splitlogs and `splitlogs --help` was unhelpful in this regard.
I also was inquiring about getting the default file in place because I would like to "modify" the current configuration, not start one from scratch. This is a production server so I feel way more comfortable just adding a variable the CustomLog configuration than trying to guess what the full configuration should actually be...
Thanks!
0 -
I actually just noted there is some fine print that gives some limited detail...
uses the contents of this file to set command line arguments for
CustomLogdirectives in Apache’s/usr/local/apache/conf/httpd.conffile.
The configuration file contains line-delimitedkey=valuepairs. The key entries are the same as the command line arguments.So I can see that the syntax is at least key=value one per line but I'm still not understanding what I would put in this file to do what I want.
Here is what I want, currently the log config in my built httpd.conf looks like this:
<IfModule mod_log_config.c>
LogFormat "%v:%{local}p %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combinedvhost
<IfModule logio_module>
LogFormat "%v %{%s}t %I .\n%v %{%s}t %O ." bytesvhost
LogFormat "apache-traffic.log %{%F}t %H %{SSL_PROTOCOL}x %v %I %O %a %{c}a" trafficlog
</IfModule>
LogFormat "%v:%{local}p %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%v:%{local}p %h %l %u %t \"%r\" %>s %b" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent
<IfModule logio_module>
CustomLog "|/usr/local/cpanel/bin/splitlogs --dir=/etc/apache2/logs/domlogs --main=host.redf1sh.com --suffix=-bytes_log" bytesvhost env=!isproxyrequest
CustomLog "|/usr/local/cpanel/bin/splitlogs --main=apache-traffic.log --mainout=/var/log/cpanel-server-traffic/web/traffic-apache.log" trafficlog env=!isproxyrequest
</IfModule>
CustomLog "|/usr/local/cpanel/bin/splitlogs --dir=/etc/apache2/logs/domlogs --main=host.redf1sh.com --mainout=/etc/apache2/logs/access_log" combined env=!isproxyrequest
</IfModule>I would like to modify the "LogFormat" lines so that the format includes the full request URL for each requests instead of just the relative path. This is because of the way some of the domains / subdomains share data and routing it's not clear to me what domain was used to handle a given request when I'm trying to track down a breach attempt or something like that:
Is the splitlog.conf where I would even do this? I know I should not edit the httpd.conf file directly (apart from uncommenting vhost include directives anyway).
Also just thought of this: Will modifying the access_log output to include the full URL instead of the relative path going to break anything with the log analizers like awstats/webalizer?
0 -
Thanks for that clarification - you're right that there aren't very many examples of how to use this, but the supported values for the file would be the items listed in https://docs.cpanel.net/knowledge-base/web-services/the-splitlogs-binary/#performance-tweaking-arguments
Changing the actual log data to show the full URL would be something that has to be handled in the Apache template. The specific logging is controlled by this section of the Apache conf:
<IfModule log_config_module>
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent
<IfModule logio_module>
LogFormat "%{%F}t %H %{SSL_PROTOCOL}x %v %I %O %a %{c}a" trafficlog
CustomLog /var/log/cpanel-server-traffic/web/traffic-apache.log trafficlog env=!isproxyrequest
</IfModule>
# access_log format can be set in WHM under 'Basic WebHost Manager® Setup'
CustomLog logs/access_log combined env=!isproxyrequest
</IfModule>This can be adjusted in the LogFormat section of WHM >> Apache Configuration >> Global Configuration.
I'd check out the lines there and see if that will work for you, and then you can likely avoid the splitlogs customizations altogether.
0 -
Good news- I realized I don't need to use split logs and I could add my own "piped log" to my own script to do the regex matching and logging to detect intrusion attempts.
I was able to add my own .conf file in /etc/apache2/conf.d named "100-custom-log.conf" and in that file I put:
<IfModule mod_log_config.c>
LogFormat "%h %u %t \"%m %{REQUEST_SCHEME}x://%V%U%q\" %s %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" ccvhost
CustomLog "|/path/to/my/script" ccvhost
</IfModule>Which creates a custom log format that includes the FULL url to the request (and also added the initial response code for fun).
I then set up a script that reads STDIN and regex matches the lines sent here from the access log and then I log out interesting requests to my own log file that I can keep track of.
I'm planning on spinning this into a full blown real-time intrusion detection and defense application with CSF integration for automatic blocking of offending IPs scoring over a defined threshold.
This is gonna be sweet!
1
Please sign in to leave a comment.
Comments
6 comments