> > Does anyone else get entries like this in their apache2 access_log: > > > > 127.0.0.1 - - [26/Sep/2007:03:10:08 -0700] "GET /" 400 470 > > > > I get a whole slew of them every day. They always show up in batches > > and each entry in a batch is logged at almost the same second. > That make sense, since 400 means 'bad request' the culprit probably > fails a preset number of times and then gives up. Perhaps 127.0.0.1 is > the setting for something in the absence of a sane configuration - in > other words, it might be tricky to track this one down. You'll have to > let us know what gurific sleuthing techniques you employ to track down > the bad guys.
What do you mean by "bad guys"? I made a mistake in my initial post. The 127.0.0.1 entries always show up in ssl_access_log, not access_log. Also, I noticed that a huge block of them always appears at the very beginning of each day's ssl_access_log at exactly 3:10AM. > You should perhaps use combined logging so you get more information, > like the user agent and such. right now you're using 'common' logging > which has the additional disadvantage that it doesn't give you > particularly useful information if you decide to use a statistical > analyzer like awstats on your archive of logs from the past umpteen > years. The user agent might be useful for debugging purposes. I switched ssl_access_log temporarily to the combined format, and it was definitely working, but the 127.0.0.1 error looked exactly as it did in common format with no extra information. > You might also consider running tcpdump for a few hours or so, or > something, and have it watch for that port and interface and run ps or > something if you get output from it. Or use iptables logging for the > job, if you'd rather do that. Any specific commands or even just certain parameters I should look into? - Grant -- [EMAIL PROTECTED] mailing list
