Bug 53919 - DEFAULT_LOG_FORMAT is not RFC6302 compliant
Summary: DEFAULT_LOG_FORMAT is not RFC6302 compliant
Status: NEEDINFO
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: mod_log_config (show other bugs)
Version: 2.4-HEAD
Hardware: All Linux
: P2 enhancement with 2 votes (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
URL:
Keywords:
: 53920 (view as bug list)
Depends on:
Blocks: 53920
  Show dependency tree
 
Reported: 2012-09-21 15:38 UTC by john_brzozowski@cable.comcast.com
Modified: 2013-03-28 12:17 UTC (History)
0 users



Attachments
Updated #define DEFAULT_LOG_FORMAT in mod_log_config.c (54.57 KB, application/octet-stream)
2012-09-21 15:41 UTC, john_brzozowski@cable.comcast.com
Details

Note You need to log in before you can comment on or make changes to this bug.
Description john_brzozowski@cable.comcast.com 2012-09-21 15:38:05 UTC
DEFAULT_LOG_FORMAT is not RFC6302 compliant.

To reproduce:

* Enabling default logging setting in Apache HTTPD 2.4 or greater
* Visit the HTTP server from a web browser
* Check access_log
* Source port and seconds are not logged
Comment 1 john_brzozowski@cable.comcast.com 2012-09-21 15:41:58 UTC
Created attachment 29405 [details]
Updated #define DEFAULT_LOG_FORMAT in mod_log_config.c

Updated the #define for DEFAULT_LOG_FORMAT to be RFC6302 compliant.
Comment 2 Eric Covener 2012-09-21 17:33:56 UTC
*** Bug 53920 has been marked as a duplicate of this bug. ***
Comment 3 Eric Covener 2012-09-21 17:34:44 UTC
Is this even used in modern configurations? I don't think it's wise to update the default to anything other then NCSA common log format.  Anyone else with strong opinions?
Comment 4 john_brzozowski@cable.comcast.com 2012-09-21 17:36:18 UTC
With the increased used of IPv4 address sharing there seems to be a need to ensure that source port and second are logged by default.
Comment 5 Eric Covener 2012-09-21 17:47:49 UTC
(In reply to comment #4)
> With the increased used of IPv4 address sharing there seems to be a need to
> ensure that source port and second are logged by default.

I don't personally agree, especially for the hard-coded default.
Comment 6 Jeff Trawick 2012-09-21 18:30:05 UTC
IMO the patch can be to the default conf which adds another non-default log format.
Comment 7 john_brzozowski@cable.comcast.com 2012-09-21 19:57:02 UTC
So a change to the default httpd.conf?
Comment 8 Jeff Trawick 2012-09-21 23:17:32 UTC
>So a change to the default httpd.conf?
Yes.  httpd.conf.

The source of that is docs/conf/httpd.conf.in in the source tree, which already has three LogFormat directives.
Comment 9 john_brzozowski@cable.comcast.com 2012-11-28 02:07:08 UTC
Quick question, is there a documented naming convention for new LogFormat directives in httpd.conf?

Per the thread below I am ready to submit the following, however, I wanted to solicit some feedback on the naming convention before doing so:

LogFormat "%t %h %{remote}p %l %u \"%r\" %>s %b" detailed

Thanks,

John
Comment 10 Brett Watson 2012-12-13 17:02:11 UTC
John, I don't have a strong opinion on the LogFormat though your proposal looks reasonable. I don't know that it needs to be a default setting yet but as CGN gains momentum, I believe this type of logging may be something LEOs will require certain providers to enable. I assume changing the defaults might require a lot of folks to change log file parsers.
Comment 11 Chris Donley 2013-01-03 16:23:45 UTC
It's not just a LEO issue.  When CGN is deployed, an IPv4 address will be shared by several people.  This level of logging is required for data analytics, abuse response/address reputation, tracking unique visitors, and targeted advertising.  Logging the IPv4 address alone (e.g. without port information) paints with too broad a brush, and will be insufficient to identify a user/household. So, a lot of people will need to change log parsers, anyways.
Comment 12 Chris Grundemann 2013-01-08 17:15:33 UTC
In fact, "CGN" is already in wide use by most mobile providers (cell phones). The use in residential broadband is what's coming and it's coming fast. Source port and seconds need to be logged by default ASAP, or we will see more and more address-sharing related problems from LEA, abuse departments, security folks, etc, etc.

John is proposing a much needed change.
Comment 13 Eric Covener 2013-01-08 17:18:00 UTC
> John is proposing a much needed change.

It's not a much needed change. Administrators can set whatever log format they like today.
Comment 14 Chris Donley 2013-01-08 17:22:35 UTC
If it's not the default, most administrators won't enable it, and that will lead to problems. John's change should be the default; administrators who want to use the older format can then set it in the config file, as you said.
Comment 15 Eric Covener 2013-01-08 17:28:24 UTC
(In reply to comment #14)
> If it's not the default, most administrators won't enable it, and that will
> lead to problems. John's change should be the default; administrators who
> want to use the older format can then set it in the config file, as you said.

AFAIK there is no plan to have the proposed named format be the default in the shipped configuration file.  The best place to discuss that would be the development mailing list.
Comment 16 Chris Grundemann 2013-01-09 21:31:57 UTC
(In reply to comment #15)
> AFAIK there is no plan to have the proposed named format be the default in
> the shipped configuration file.

That is a problem.

Insufficient logging is tantamount to no logging and I posit that logging is required by default.
Comment 17 Alain Durand 2013-01-10 01:04:46 UTC
+1
CGNs are a reality. We need RFC6302 support on Internet facing servers, as such I support making this the default. If not, it will never be turned on, as people will simply not think about it. 

Alain.
Comment 18 Daniel Gruno 2013-01-10 14:27:32 UTC
Plugging your own RFC as if a project that precedes it by 15 years is suddenly guilty of war crimes is hardly the way to go. I could argue that anything on port 80 is in violation of the SSL RFC and demand that SSL be default for everything, but that's not an enhancement or a bug in httpd, that's a _request for change_ that has a great impact on a lot of people, which _needs to be discussed on the mailing list, not in Bugzilla_. Please, take this discussion to the mailing list, or you will likely not get any constructive dialogue going, and certainly not the change you are hoping for.

Please see http://httpd.apache.org/lists.html for information on how to subscribe to our developer mailing list.
Comment 19 Eric Covener 2013-01-10 14:27:52 UTC
> * Source port and seconds are not logged

Aren't seconds in there by default?  Is there a patch for the default configuration that is minimally invasive to existing log parsers? Is UTC important?
Comment 20 john_brzozowski@cable.comcast.com 2013-03-28 12:17:37 UTC
Daniel,

FWIW - I made the initial reference to RFC6302 when I submitted the original patch.  I am not an author or contributor to RFC6302.

John