Configuring mod_authnz_ldap to search & compare using server"s credentials, not users"

I have a situation where presentation of an X.509 certificate by a user
in two-way SSL is considered authoritative for identification purposes,
however I need to use the directory for attribute and authorization
information.

The LDAP server expects me to bind via my server certificate with
two-way SSL. This is preferred in this environment over using a BindDN
and password.

By using +FakeBasicAuth*1, I was able to get the 1st step [search]
working; however, mod_authnz_ldap automatically switches over to
attempting a bind as the user in the compare step. In this case, it
does so with the "pseudo-password" provided by FakeBasicAuth.
[Obviously this fails.]

The rest of the implementation is exactly what I neeed--it's only switch
from anonymous/server bind to user bind that I need to change*2. I'd
like to see a directive to mod_authnz_ldap that instructed it to use the
same binding for the compare phase as it did for search. [I've also
been looking at using ldaprc to see if TLS_ directives there can
override application settings].

Has anyone else cracked this nut already, either with a "fork" of
mod_authnz_ldap or their own module written on top of mod_ldap?

--Pete
----
Configuration details:

- Solaris (both x86 & sparc servers)
- Apache 2.2.9=20
- OpenLDAP 2.3.41

----
*1In this case we would need to make sure that an actual Basic Auth
dialog was never presented; otherwise we could have users entering
another user's DN by hand to masquerade as them.

*2"Collapsing" the LDAP caches is another possible related optimization
in this situation. If we are binding with the same credentials, we
don't have to worry about polluting a cache with unauthorized data from
another user's context.

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

mod_log_config issue

Hello Apache users list.

We have an issue with mod_log_config; specifically we are trying to pipe lo=
g output through Sed before it goes to Cronolog. The result is that we get =
no output whatsoever.

Here is a sample of the directives we are using in our VirtualHost containe=
r:

CustomLog "| /bin/sed s/[0-9]\\\{1,3\\\}\\\.[0-9]\\\{1,3\\\}\\\.[0-9]\\=
\{1,3\\\}\\\.[0-9]\\\{1,3\\\},\\\ //g | /usr/bin/sudo -u VEsvc /usr/sbin/cr=
onolog --period=3D1hours /mnt/export/www/logs/beacon/%Y%m%d/%H/survey_log" =
combined env=3Dsurvey_log

ErrorLog "| /bin/sed s/[0-9]\\\{1,3\\\}\\\.[0-9]\\\{1,3\\\}\\\.[0-9]\\\=
{1,3\\\}\\\.[0-9]\\\{1,3\\\},\\\ //g | /usr/bin/sudo -u VEsvc /usr/sbin/cro=
nolog --period=3D1hours /mnt/export/www/logs/beacon/%Y%m%d/%H/error_log"

We have also experimented with writing a wrapper script that performs all t=
hree of the above functions - the result is the same.

Does anyone have any input? Is what we are attempting possible?

Thanks!

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: mod_log_config issue

Joe Hammerman writes:

> Hello Apache users list.
>
> We have an issue with mod_log_config; specifically we are trying to pipe log output through Sed before it goes to Cronolog. The result is that we get no output whatsoever.
>
> Here is a sample of the directives we are using in our VirtualHost container:
>
> CustomLog "| /bin/sed s/[0-9]\\\{1,3\\\}\\\.[0-9]\\\{1,3\\\}\\\.[0-9]\\\{1,3\\\}\\ \.[0-9]\\\{1,3\\\},\\\ //g | /usr/bin/sudo -u VEsvc /usr/sbin/cronolog --period=1hours /mnt/export/www/logs/beacon/%Y%m%d/%H/survey_log" combined env=survey_log
>
> ErrorLog "| /bin/sed s/[0-9]\\\{1,3\\\}\\\.[0-9]\\\{1,3\\\}\\\.[0-9]\\\{1,3\\\}\\ \.[0-9]\\\{1,3\\\},\\\ //g | /usr/bin/sudo -u VEsvc /usr/sbin/cronolog --period=1hours /mnt/export/www/logs/beacon/%Y%m%d/%H/error_log"
>
> We have also experimented with writing a wrapper script that performs all three of the above functions - the result is the same.
>
> Does anyone have any input? Is what we are attempting possible?

What's the simplest case that doesn't work? What if you take out the
whole 'sed' command and just use /bin/cat? Does invoking cronolog with
sudo work when not receiving input piped from another command? Does it
work with a simpler sed script?


------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: Re: mod_log_config issue

Isn't cronolog highly dependent on the w3c log convention?



----- Original Message -----
From: Dan Poirier [poirier@pobox.com]
Sent: 01/27/2010 03:02 PM EST
To: users@httpd.apache.org
Subject: [users@httpd] Re: mod_log_config issue



Joe Hammerman writes:

> Hello Apache users list.
>
> We have an issue with mod_log_config; specifically we are trying to pipe lo=
g output through Sed before it goes to Cronolog. The result is that we get no=
output whatsoever.
>
> Here is a sample of the directives we are using in our VirtualHost containe=
r:
>
> CustomLog "| /bin/sed s/[0-9]\\\{1,3\\\}\\\.[0-9]\\\{1,3\\\}\\\.[0-9]\\=
\{1,3\\\}\\\.[0-9]\\\{1,3\\\},\\\ //g | /usr/bin/sudo -u VEsvc /usr/sbin/cron=
olog --period=3D1hours /mnt/export/www/logs/beacon/%Y%m%d/%H/survey_log" comb=
ined env=3Dsurvey_log
>
> ErrorLog "| /bin/sed s/[0-9]\\\{1,3\\\}\\\.[0-9]\\\{1,3\\\}\\\.[0-9]\\\=
{1,3\\\}\\\.[0-9]\\\{1,3\\\},\\\ //g | /usr/bin/sudo -u VEsvc /usr/sbin/crono=
log --period=3D1hours /mnt/export/www/logs/beacon/%Y%m%d/%H/error_log"
>
> We have also experimented with writing a wrapper script that performs all t=
hree of the above functions - the result is the same.
>
> Does anyone have any input? Is what we are attempting possible?

What's the simplest case that doesn't work? What if you take out the
whole 'sed' command and just use /bin/cat? Does invoking cronolog with
sudo work when not receiving input piped from another command? Does it
work with a simpler sed script?


------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

RE: Re: mod_log_config issue

Hi Dan,
If we replaced Sed with Cat, I'm a little confused as to what we would be =
catting; there's a stream coming in, right?

To your second question - yes, logging is fully functional with sudo

To your final question - no, even with a sed command that performs no actio=
ns, no logging information is generated.

-----Original Message-----
From: news [mailto:news@ger.gmane.org] On Behalf Of Dan Poirier
Sent: Wednesday, January 27, 2010 12:03 PM
To: users@httpd.apache.org
Subject: [users@httpd] Re: mod_log_config issue

Joe Hammerman writes:

> Hello Apache users list.
>
> We have an issue with mod_log_config; specifically we are trying to pipe =
log output through Sed before it goes to Cronolog. The result is that we ge=
t no output whatsoever.
>
> Here is a sample of the directives we are using in our VirtualHost contai=
ner:
>
> CustomLog "| /bin/sed s/[0-9]\\\{1,3\\\}\\\.[0-9]\\\{1,3\\\}\\\.[0-9]=
\\\{1,3\\\}\\\.[0-9]\\\{1,3\\\},\\\ //g | /usr/bin/sudo -u VEsvc /usr/sbin/=
cronolog --period=3D1hours /mnt/export/www/logs/beacon/%Y%m%d/%H/survey_log=
" combined env=3Dsurvey_log
>
> ErrorLog "| /bin/sed s/[0-9]\\\{1,3\\\}\\\.[0-9]\\\{1,3\\\}\\\.[0-9]\=
\\{1,3\\\}\\\.[0-9]\\\{1,3\\\},\\\ //g | /usr/bin/sudo -u VEsvc /usr/sbin/c=
ronolog --period=3D1hours /mnt/export/www/logs/beacon/%Y%m%d/%H/error_log"
>
> We have also experimented with writing a wrapper script that performs all=
three of the above functions - the result is the same.
>
> Does anyone have any input? Is what we are attempting possible?

What's the simplest case that doesn't work? What if you take out the
whole 'sed' command and just use /bin/cat? Does invoking cronolog with
sudo work when not receiving input piped from another command? Does it
work with a simpler sed script?


------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: mod_log_config issue

Joe Hammerman writes:

> If we replaced Sed with Cat, I'm a little confused as to what we would be catting; there's a stream coming in, right?
>
> To your second question - yes, logging is fully functional with sudo
>
> To your final question - no, even with a sed command that performs no actions, no logging information is generated.
>
> -----Original Message-----
> From: news [mailto:news@ger.gmane.org] On Behalf Of Dan Poirier
> Sent: Wednesday, January 27, 2010 12:03 PM
> To: users@httpd.apache.org
> Subject: [users@httpd] Re: mod_log_config issue
>
>> We have an issue with mod_log_config; specifically we are trying to pipe log output through Sed before it goes to Cronolog. The result is that we get no output whatsoever.
>>
>> CustomLog "| /bin/sed s/[0-9]\\\{1,3\\\}\\\.[0-9]\\\{1,3\\\}\\\.[0-9]\\\{1,3\\\}\\ \.[0-9]\\\{1,3\\\},\\\ //g | /usr/bin/sudo -u VEsvc /usr/sbin/cronolog --period=1hours /mnt/export/www/logs/beacon/%Y%m%d/%H/survey_log" combined env=survey_log
>>
>> ErrorLog "| /bin/sed s/[0-9]\\\{1,3\\\}\\\.[0-9]\\\{1,3\\\}\\\.[0-9]\\\{1,3\\\}\\ \.[0-9]\\\{1,3\\\},\\\ //g | /usr/bin/sudo -u VEsvc /usr/sbin/cronolog --period=1hours /mnt/export/www/logs/beacon/%Y%m%d/%H/error_log"
>>
>> We have also experimented with writing a wrapper script that performs all three of the above functions - the result is the same.
>>
> What's the simplest case that doesn't work? What if you take out the
> whole 'sed' command and just use /bin/cat? Does invoking cronolog with
> sudo work when not receiving input piped from another command? Does it
> work with a simpler sed script?

Okay, then you're saying this gives you logging:

CustomLog "| /usr/bin/sudo -u VEsvc /usr/sbin/cronolog --period=1hours /mnt/export/www/logs/beacon/%Y%m%d/%H/survey_log" combined env=survey_log

but this doesn't:

CustomLog "| /bin/sed | /usr/bin/sudo -u VEsvc /usr/sbin/cronolog --period=1hours /mnt/export/www/logs/beacon/%Y%m%d/%H/survey_log" combined env=survey_log

How about this:

CustomLog "| /bin/cat | /usr/bin/sudo -u VEsvc /usr/sbin/cronolog --period=1hours /mnt/export/www/logs/beacon/%Y%m%d/%H/survey_log" combined env=survey_log

"cat" with no arguments just copies stdin to stdout, so we can tell if sed is the problem, or the piping.

Also, I would think if putting the piped command directly in the log config is the problem, then replacing it with a wrapper script ought to work. I assume your script looked like:

#!/bin/sh
/bin/sed s/[0-9]\\\{1,3\\\}\\\.[0-9]\\\{1,3\\\}\\\.[0-9]\\\{1,3\\\}\\ \.[0-9]\\\{1,3\\\},\\\ //g | /usr/bin/sudo -u VEsvc /usr/sbin/cronolog --period=1hours /mnt/export/www/logs/beacon/%Y%m%d/%H/survey_log

(maybe with one level of backslashes removed), was marked executable, and the full path was configured:

CustomLog "| /path/to/wrapper/script" combined env=survey_log

You might try a simpler script:

#!/bin/sh
/bin/cat >>/path/to/logfile

again just to rule out something funny in the sed/sudo/cronolog part as opposed to Apache.


------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

RE: Re: mod_log_config issue

Hi Dan,

When the sed command is replaced with /bin/cat, logs are generated. Using a=
sed command that does nothing results in no log output; e.g.

CustomLog "| /bin/sed s/// |/usr/bin/cronolog..."

Or

CustomLog "| /bin/sed 's///' | /usr/bin/cronolog..."

Or

CustomLog "| /bin/sed -e 's///' | /usr/bin/cronolog..."

:/

I have tried using a wrapper script. Here it is in its original form:

#!/bin/bash

cat - | while read LINE
do
echo ${LINE} |
/bin/sed s/[0-9]\\\{1,3\\\}\\\.[0-9]\\\{1,3\\\}\\\.[0-9]\\\{1,3\\\}\\ \.[0-9=
]\\\{1,3\\\},\\\ //g | /usr/bin/sudo -u VEsvc /usr/sbin/cronolog --period=
=3D1hours /mnt/export/www/logs/beacon/%Y%m%d/%H/access_log
done

and then, per your suggestion:

#!/bin/bash

#cat - | while read LINE
#do
#echo ${LINE} |
/bin/sed s/[0-9]\\{1,3\\}\\.[0-9]\\{1,3\\}\\.[0-9]\\{1,3\\}\\.[0-9]\\ {1,3\\=
},\\
//g | /usr/bin/sudo -u VEsvc /usr/sbin/cronolog --period=3D1hours /mnt/expo=
rt/www/
logs/beacon/%Y%m%d/%H/access_log
#done


httpd.conf was configured as you said.

In either case, no logs are generated.

-----Original Message-----
From: news [mailto:news@ger.gmane.org] On Behalf Of Dan Poirier
Sent: Thursday, January 28, 2010 7:10 AM
To: users@httpd.apache.org
Subject: [users@httpd] Re: mod_log_config issue

Joe Hammerman writes:

> If we replaced Sed with Cat, I'm a little confused as to what we would b=
e catting; there's a stream coming in, right?
>
> To your second question - yes, logging is fully functional with sudo
>
> To your final question - no, even with a sed command that performs no act=
ions, no logging information is generated.
>
> -----Original Message-----
> From: news [mailto:news@ger.gmane.org] On Behalf Of Dan Poirier
> Sent: Wednesday, January 27, 2010 12:03 PM
> To: users@httpd.apache.org
> Subject: [users@httpd] Re: mod_log_config issue
>
>> We have an issue with mod_log_config; specifically we are trying to pipe=
log output through Sed before it goes to Cronolog. The result is that we g=
et no output whatsoever.
>>
>> CustomLog "| /bin/sed s/[0-9]\\\{1,3\\\}\\\.[0-9]\\\{1,3\\\}\\\.[0-9=
]\\\{1,3\\\}\\\.[0-9]\\\{1,3\\\},\\\ //g | /usr/bin/sudo -u VEsvc /usr/sbin=
/cronolog --period=3D1hours /mnt/export/www/logs/beacon/%Y%m%d/%H/survey_lo=
g" combined env=3Dsurvey_log
>>
>> ErrorLog "| /bin/sed s/[0-9]\\\{1,3\\\}\\\.[0-9]\\\{1,3\\\}\\\.[0-9]=
\\\{1,3\\\}\\\.[0-9]\\\{1,3\\\},\\\ //g | /usr/bin/sudo -u VEsvc /usr/sbin/=
cronolog --period=3D1hours /mnt/export/www/logs/beacon/%Y%m%d/%H/error_log"
>>
>> We have also experimented with writing a wrapper script that performs al=
l three of the above functions - the result is the same.
>>
> What's the simplest case that doesn't work? What if you take out the
> whole 'sed' command and just use /bin/cat? Does invoking cronolog with
> sudo work when not receiving input piped from another command? Does it
> work with a simpler sed script?

Okay, then you're saying this gives you logging:

CustomLog "| /usr/bin/sudo -u VEsvc /usr/sbin/cronolog --period=3D1hou=
rs /mnt/export/www/logs/beacon/%Y%m%d/%H/survey_log" combined env=3Dsurvey_=
log

but this doesn't:

CustomLog "| /bin/sed | /usr/bin/sudo -u VEsvc /usr/sbin/cronolog --pe=
riod=3D1hours /mnt/export/www/logs/beacon/%Y%m%d/%H/survey_log" combined en=
v=3Dsurvey_log

How about this:

CustomLog "| /bin/cat | /usr/bin/sudo -u VEsvc /usr/sbin/cronolog --pe=
riod=3D1hours /mnt/export/www/logs/beacon/%Y%m%d/%H/survey_log" combined en=
v=3Dsurvey_log

"cat" with no arguments just copies stdin to stdout, so we can tell if sed =
is the problem, or the piping.

Also, I would think if putting the piped command directly in the log config=
is the problem, then replacing it with a wrapper script ought to work. I =
assume your script looked like:

#!/bin/sh
/bin/sed s/[0-9]\\\{1,3\\\}\\\.[0-9]\\\{1,3\\\}\\\.[0-9]\\\{1,3\\\}\\ \.[0-9=
]\\\{1,3\\\},\\\ //g | /usr/bin/sudo -u VEsvc /usr/sbin/cronolog --period=
=3D1hours /mnt/export/www/logs/beacon/%Y%m%d/%H/survey_log

(maybe with one level of backslashes removed), was marked executable, and t=
he full path was configured:

CustomLog "| /path/to/wrapper/script" combined env=3Dsurvey_log

You might try a simpler script:

#!/bin/sh
/bin/cat >>/path/to/logfile

again just to rule out something funny in the sed/sudo/cronolog part as opp=
osed to Apache.


------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: Re: mod_log_config issue

Joe Hammerman wrote:
> Hi Dan,
>
> When the sed command is replaced with /bin/cat, logs are generated. Using a sed command that does nothing results in no log output; e.g.
>
> CustomLog "| /bin/sed s/// |/usr/bin/cronolog..."
> CustomLog "| /bin/sed 's///' | /usr/bin/cronolog..."
> CustomLog "| /bin/sed -e 's///' | /usr/bin/cronolog..."
>

I haven't really been following this thread in detail, but here are some
thing I noticed.

All three of the sed commands above are invalid, so it doesn't surprise
me there is no output.

$ echo "test" | sed s///
sed: -e expression #1, char 0: no previous regular expression
$ echo "test" | sed 's///'
sed: -e expression #1, char 0: no previous regular expression
$ echo "test" | sed -e 's///'
sed: -e expression #1, char 0: no previous regular expression

Since replacing it with cat works, it means the sed command in your
original code is not working as expected. Try logging directly to a
file, then run your sed commands or wrapper script on that file (e.g.
cat this.log > sed -e 's/blah/blah/'). Once you have verified that is
working properly, then come back to putting it into the apache config.

There is also a chance that the escape sequences for a shell are
different than those for the apache directive. You can verify that by
starting out with a much simpler sed script, then expanding from there.

--
Justin Pasher

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

RE: Re: mod_log_config issue

Justin - the wrapper script (in its original form) that I provided in my pr=
evious email has been tested in this manner against sample data.

You are correct about my sed syntax - I have replaced those commands with =
s/antelope// in the formats provided below, and verified that there is no o=
utput.

Editing the scripts referenced below so that they also replace antelope wit=
h nothing also results in no output.

Any other thoughts?

-----Original Message-----
From: Justin Pasher [mailto:justinp@newmediagateway.com]=20
Sent: Thursday, January 28, 2010 12:18 PM
To: users@httpd.apache.org
Subject: Re: [users@httpd] Re: mod_log_config issue

Joe Hammerman wrote:
> Hi Dan,
>
> When the sed command is replaced with /bin/cat, logs are generated. Using=
a sed command that does nothing results in no log output; e.g.
>
> CustomLog "| /bin/sed s/// |/usr/bin/cronolog..."
> CustomLog "| /bin/sed 's///' | /usr/bin/cronolog..."
> CustomLog "| /bin/sed -e 's///' | /usr/bin/cronolog..."
> =20

I haven't really been following this thread in detail, but here are some=20
thing I noticed.

All three of the sed commands above are invalid, so it doesn't surprise=20
me there is no output.

$ echo "test" | sed s///
sed: -e expression #1, char 0: no previous regular expression
$ echo "test" | sed 's///'
sed: -e expression #1, char 0: no previous regular expression
$ echo "test" | sed -e 's///'
sed: -e expression #1, char 0: no previous regular expression

Since replacing it with cat works, it means the sed command in your=20
original code is not working as expected. Try logging directly to a=20
file, then run your sed commands or wrapper script on that file (e.g.=20
cat this.log > sed -e 's/blah/blah/'). Once you have verified that is=20
working properly, then come back to putting it into the apache config.

There is also a chance that the escape sequences for a shell are=20
different than those for the apache directive. You can verify that by=20
starting out with a much simpler sed script, then expanding from there.

--=20
Justin Pasher

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

RE: Re: mod_log_config issue

Hey all. First of all thanks for the assistance.

I haven't resolved the issue, however I thought I would add some more detai=
l regarding my investigations, if anyone ever digs through these archives.

It seems that sed doesn't actually flush the stream it is editing until it =
hits a '\n'. So I bet sed is editing the stream in place, and storing all o=
f its edits in memory.

LogFormat supports the '\n' character - but I still can't get sed to actual=
ly write out to disk.

-----Original Message-----
From: Joe Hammerman [mailto:jhammerman@videoegg.com]=20
Sent: Thursday, January 28, 2010 11:47 AM
To: users@httpd.apache.org
Subject: RE: [users@httpd] Re: mod_log_config issue

Hi Dan,

When the sed command is replaced with /bin/cat, logs are generated. Using a=
sed command that does nothing results in no log output; e.g.

CustomLog "| /bin/sed s/// |/usr/bin/cronolog..."

Or

CustomLog "| /bin/sed 's///' | /usr/bin/cronolog..."

Or

CustomLog "| /bin/sed -e 's///' | /usr/bin/cronolog..."

:/

I have tried using a wrapper script. Here it is in its original form:

#!/bin/bash

cat - | while read LINE
do
echo ${LINE} |
/bin/sed s/[0-9]\\\{1,3\\\}\\\.[0-9]\\\{1,3\\\}\\\.[0-9]\\\{1,3\\\}\\ \.[0-9=
]\\\{1,3\\\},\\\ //g | /usr/bin/sudo -u VEsvc /usr/sbin/cronolog --period=
=3D1hours /mnt/export/www/logs/beacon/%Y%m%d/%H/access_log
done

and then, per your suggestion:

#!/bin/bash

#cat - | while read LINE
#do
#echo ${LINE} |
/bin/sed s/[0-9]\\{1,3\\}\\.[0-9]\\{1,3\\}\\.[0-9]\\{1,3\\}\\.[0-9]\\ {1,3\\=
},\\
//g | /usr/bin/sudo -u VEsvc /usr/sbin/cronolog --period=3D1hours /mnt/expo=
rt/www/
logs/beacon/%Y%m%d/%H/access_log
#done


httpd.conf was configured as you said.

In either case, no logs are generated.

-----Original Message-----
From: news [mailto:news@ger.gmane.org] On Behalf Of Dan Poirier
Sent: Thursday, January 28, 2010 7:10 AM
To: users@httpd.apache.org
Subject: [users@httpd] Re: mod_log_config issue

Joe Hammerman writes:

> If we replaced Sed with Cat, I'm a little confused as to what we would b=
e catting; there's a stream coming in, right?
>
> To your second question - yes, logging is fully functional with sudo
>
> To your final question - no, even with a sed command that performs no act=
ions, no logging information is generated.
>
> -----Original Message-----
> From: news [mailto:news@ger.gmane.org] On Behalf Of Dan Poirier
> Sent: Wednesday, January 27, 2010 12:03 PM
> To: users@httpd.apache.org
> Subject: [users@httpd] Re: mod_log_config issue
>
>> We have an issue with mod_log_config; specifically we are trying to pipe=
log output through Sed before it goes to Cronolog. The result is that we g=
et no output whatsoever.
>>
>> CustomLog "| /bin/sed s/[0-9]\\\{1,3\\\}\\\.[0-9]\\\{1,3\\\}\\\.[0-9=
]\\\{1,3\\\}\\\.[0-9]\\\{1,3\\\},\\\ //g | /usr/bin/sudo -u VEsvc /usr/sbin=
/cronolog --period=3D1hours /mnt/export/www/logs/beacon/%Y%m%d/%H/survey_lo=
g" combined env=3Dsurvey_log
>>
>> ErrorLog "| /bin/sed s/[0-9]\\\{1,3\\\}\\\.[0-9]\\\{1,3\\\}\\\.[0-9]=
\\\{1,3\\\}\\\.[0-9]\\\{1,3\\\},\\\ //g | /usr/bin/sudo -u VEsvc /usr/sbin/=
cronolog --period=3D1hours /mnt/export/www/logs/beacon/%Y%m%d/%H/error_log"
>>
>> We have also experimented with writing a wrapper script that performs al=
l three of the above functions - the result is the same.
>>
> What's the simplest case that doesn't work? What if you take out the
> whole 'sed' command and just use /bin/cat? Does invoking cronolog with
> sudo work when not receiving input piped from another command? Does it
> work with a simpler sed script?

Okay, then you're saying this gives you logging:

CustomLog "| /usr/bin/sudo -u VEsvc /usr/sbin/cronolog --period=3D1hou=
rs /mnt/export/www/logs/beacon/%Y%m%d/%H/survey_log" combined env=3Dsurvey_=
log

but this doesn't:

CustomLog "| /bin/sed | /usr/bin/sudo -u VEsvc /usr/sbin/cronolog --pe=
riod=3D1hours /mnt/export/www/logs/beacon/%Y%m%d/%H/survey_log" combined en=
v=3Dsurvey_log

How about this:

CustomLog "| /bin/cat | /usr/bin/sudo -u VEsvc /usr/sbin/cronolog --pe=
riod=3D1hours /mnt/export/www/logs/beacon/%Y%m%d/%H/survey_log" combined en=
v=3Dsurvey_log

"cat" with no arguments just copies stdin to stdout, so we can tell if sed =
is the problem, or the piping.

Also, I would think if putting the piped command directly in the log config=
is the problem, then replacing it with a wrapper script ought to work. I =
assume your script looked like:

#!/bin/sh
/bin/sed s/[0-9]\\\{1,3\\\}\\\.[0-9]\\\{1,3\\\}\\\.[0-9]\\\{1,3\\\}\\ \.[0-9=
]\\\{1,3\\\},\\\ //g | /usr/bin/sudo -u VEsvc /usr/sbin/cronolog --period=
=3D1hours /mnt/export/www/logs/beacon/%Y%m%d/%H/survey_log

(maybe with one level of backslashes removed), was marked executable, and t=
he full path was configured:

CustomLog "| /path/to/wrapper/script" combined env=3Dsurvey_log

You might try a simpler script:

#!/bin/sh
/bin/cat >>/path/to/logfile

again just to rule out something funny in the sed/sudo/cronolog part as opp=
osed to Apache.


------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org