On Thursday 10 February 2011, Daniel Ruggeri wrote: > On 2/10/2011 2:21 AM, Nick Gearls wrote: > > Probably not, but as we specify the time-outs to allow all normal > > requests (we hope), I'd like to be warned when an attack occurs, > > but also if one of my genuine customers is blocked (to possibly > > fine-tunes the time-outs). > > We should figure out what the general case would be for users. > Since per-module logging levels is a reality, it's a trivial > matter to let the server admin decide if they want to log these > messages. My concern with putting it at WARN level (and a server > admin doesn't want these messages), they may accidentally suppress > other warnings. I may be speaking out of turn, though, since I > don't know what messages this module emits and at what levels.
For trunk, WARN is OK becasue the admin can set mod_reqtimeout's loglevel separately and mod_reqtimeout doesn't log anything else. For 2.2.x, I am reluctant to bump it to warn, as this may become too noisy. And the acess log should already record the timeouts with status 408. > > Another option would be to set an environment variable, so I > > could check it and handle my notification manually. > > Maybe I misunderstand the idea, but why wouldn't creating a > 'LogTimeoutErrors' (or something to that effect) directive be The > Right Thing to do in this case? For 2.2.x we would need something like that to make it configurable. But do we really need that?
