Project

General

Profile

Feature #530

Custom http logging

Added by Ignacio Sanchez almost 7 years ago. Updated almost 7 years ago.

Status:
Closed
Priority:
Normal
Target version:
Effort:
Difficulty:
Label:

Description

The following patch adds support for custom http logging using a format syntax inspired by Apache mod_log_config.

In order to activate the custom logging feature, the parameters custom and customformat shall be specified in the suricata.yaml configuration file.

Example (next to "extended" under http-log:

custom: yes # enable the custom logging format (defined by customformat)
customformat: "%{%D-%H:%M:%S}t.%z %{X-Forwarded-For}i %H %m %h %u %s %B %a:%p -> %A:%P"

In addition to %h, %H, %m, %u, %i, %C, %s, %o and %B - almost - as described by mod_log_config (http://httpd.apache.org/docs/2.0/mod/mod_log_config.html), I have added %z, %a, %p, %A and %P for the precision time, IPs and ports.

I have tested it in suricata 1.3.1b2 and in the latest suricata git version at the time of writing and it seems to be working fine.

As illustrated by the example, the XFF client IP can be logged with "%{X-Forwarded-For}i" and using the right customformat string the HTTP transaction log files would be directly readable by awstats or piwik so now we can have real time statistics of the monitored web applications.


Files


Related issues

Related to Feature #478: XFF (X-Forwarded-For)Closed06/08/2012Actions

History

#1

Updated by Ignacio Sanchez almost 7 years ago

  • File deleted (0001-Custom-logging-feature-for-log-httplog_REBASED.patch)
#2

Updated by Ignacio Sanchez almost 7 years ago

  • File deleted (0002-strcpy-replaced-by-strlcpy.patch)
#4

Updated by Victor Julien almost 7 years ago

  • Status changed from New to Closed

Applied, thanks a lot Ignacio! Great contribution!

Also available in: Atom PDF