Many thanks for all the answers on this one folks - in summary the
suggestions were packet tracing, mod_security, RewriteLog, and
mod_log_forensic.
I went for packet tracing using tshark with a capture condition to
minimise the performance impact, which worked nicely. The requests in
question were completely missing, so the next possibility is an
occasional DNS lookup failure.
cheers
John
Paul Querna wrote:
mod_log_forensic was created for exactly this purpose:
<http://httpd.apache.org/docs/2.2/mod/mod_log_forensic.html>
hope that helps,
Paul
