Filter out error log by IP address?

Hello,

I'm not sure this is a mod_perl question per se, but I'm hoping there's
a mod_perl solution to our problem.

We currently use a 3rd party security company to do a nessus-type
security audit on our site for PCI compliance. Their scans naturally
generate a lot of noise in the error log, to the point that legitimate
site errors are lost in the forest. What I'm hoping to find / create is
some kind of mechanism that can pre-empt writing to the error log and
either 1) ideally, don't log if the client IP is xxx.xxx.xxx.xxx, or 2)
always log the client IP address with each error, which will enable us
to filter those out manually after the fact. Either solution is acceptable.

Apache provides a trivial solution for the access_log, in the form of:

SetEnvIf Remote_Addr xxx.xxx.xxx.* nolog

.... however, that solution does not extend to the error log. I'm hoping
there's a mod_perl "hook" that can allow me to change apache's error
logging behaviour to what I need it to be.

Can someone point me in the right direction?

Re: Filter out error log by IP address?

On Thu, Jan 28, 2010 at 1:52 AM, Michael A. Capone
wrote:
> Hello,
>
> I'm not sure this is a mod_perl question per se, but I'm hoping there's
> a mod_perl solution to our problem.
>
> We currently use a 3rd party security company to do a nessus-type
> security audit on our site for PCI compliance.  Their scans naturall=
y
> generate a lot of noise in the error log, to the point that legitimate
> site errors are lost in the forest.  What I'm hoping to find / creat=
e is
> some kind of mechanism that can pre-empt writing to the error log and
> either 1) ideally, don't log if the client IP is xxx.xxx.xxx.xxx, or 2)
> always log the client IP address with each error, which will enable us
> to filter those out manually after the fact.  Either solution is acc=
eptable.
>
> Apache provides a trivial solution for the access_log, in the form of:
>
>    SetEnvIf Remote_Addr xxx.xxx.xxx.* nolog
>
> ... however, that solution does not extend to the error log.  I'm ho=
ping
> there's a mod_perl "hook" that can allow me to change apache's error
> logging behaviour to what I need it to be.
>
> Can someone point me in the right direction?

Hi, Michael. Here is the LogHandler information:

http://perl.apache.org/docs/2.0/user/handlers/http.html#Perl LogHandler

Sean

Re: Filter out error log by IP address?

On Thursday 28 January 2010 07:52:05 Michael A. Capone wrote:
> We currently use a 3rd party security company to do a nessus-type
> security audit on our site for PCI compliance. Their scans naturally
> generate a lot of noise in the error log, to the point that legitimate
> site errors are lost in the forest. What I'm hoping to find / create is
> some kind of mechanism that can pre-empt writing to the error log and
> either 1) ideally, don't log if the client IP is xxx.xxx.xxx.xxx, or 2)
> always log the client IP address with each error, which will enable us
> to filter those out manually after the fact. Either solution is
> acceptable.
>
> Apache provides a trivial solution for the access_log, in the form of:
>
> SetEnvIf Remote_Addr xxx.xxx.xxx.* nolog
>
> ... however, that solution does not extend to the error log. I'm hoping
> there's a mod_perl "hook" that can allow me to change apache's error
> logging behaviour to what I need it to be.
>
There is an error_log hook in apache:

error_log
declared in ./include/http_log.h
implemented in ./server/log.c
type is VOID
void error_log(const char *file, int line, int level, apr_status_t status,
const server_rec *s, const request_rec *r, apr_pool_t *pool, const char
*errstr)

It is run at the end of log_error_core(). That means the error is already
logged.

But perhaps you can set ErrorLog to /dev/null and implement your own logging
using that hook.

That is where I would start.

Torsten