Apache virtual hosts - logging outgoing traffic

Posted on 2012-09-07
Medium Priority
Last Modified: 2012-09-20
Let's consider Apache web server which hosts dozens of named virtual hosts.

It's possible somehow to log outgoing traffic?
Requirement is to have virtual host name logged.

I need that for security reasons, for example hacked PHP/system cron or
modified PHP code of applications.

Possible solution would be to use iptables firewall with Owner match extension.
Question by:marianhe
  • 2
LVL 51

Accepted Solution

ahoffmann earned 1000 total points
ID: 38379355
> It's possible somehow to log outgoing traffic?
if you realy mean "somehow", then yes for example by using mod_security

if you mean "all", then the answer is no, 'cause apache can only control what's passed to it
also if you suspect hacked scripts (PHP and such), then apache won't help either 'cause these scripts may connect to outside directly
best is to use your firewall (iptables) to do it

but stopp: do you realy mean to log everything? I doubt, 'cause that would simply crash your system due to limited space very shortly.
if you expect hacked PHP files, then you better disable PHP until you fixed the problem
if you expect a hacked system (cron etc.) you better disconnect the system from any network until you fixed the problem
LVL 16

Expert Comment

ID: 38379567
If what you are referring to is Apache outgoing traffic, then each Virtual Host can have its own seperate log files.

You need to be able to access the http.conf file and in each virtual host add "custom log" lines.

For instance:

CustomLog /site_logs/vhostname_access.log combined
ErrorLog   /site_logs/vhostname_error.log

Open in new window

Obviously you should change the path and filenames to suit your environment.

These log files will become quite large over time (depending on how busy the server is) and you should rotate the log files for each virtual host at least monthly, if not more.

For more detailed explanations see:  http://httpd.apache.org/docs/2.2/vhosts/

If you are looking a "system" reated traffic - not handled by Apache (bearing in mind that Apache will handle PHP in almost all cases) - then that is different. Here you would need to set up a "syslog" server instance, and then create a number of MRTG and IPTABLES rules.

The best solution if you are not familiar with running a web facing server would be install a Hosting Management system (for Linux CPanel is popular).

Author Comment

ID: 38380372
Your first part of the post is irrelevant.
I emphasized word "OUTGOING". Apache logs are for incoming traffic.
LVL 16

Expert Comment

ID: 38380385
Apache logs include the outgoing transfer in response to the incoming request.

Typically these are used in the hosting environment to measure and control bandwidth and resource usage on a server. You can also use the CustomLog directive to seperate "incoming" and "outgoing" traffic in to different logs - and if required include the virtual host name. The amount of detail in the Apache log files is up to you, and reading the Apache documentation will certainly help you with that. There is also a couple of Apache modules that can be used to include additional transport layer information.

Although you have not mentioned explicitly that you are using Linux, its assumed here, and there are a great number of Open Source tools available to log activity on a Linux server, CSF is one that immediately comes to mind.

Featured Post

How to Use the Help Bell

Need to boost the visibility of your question for solutions? Use the Experts Exchange Help Bell to confirm priority levels and contact subject-matter experts for question attention.  Check out this how-to article for more information.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Most ColdFusion developers get confused between the CFSet, Duplicate, and Structcopy methods of copying a Structure, especially which one to use when. This Article will explain the differences in the approaches with examples; therefore, after readin…
Lease-to-own eliminates the expenditure of hardware replacement and allows you to pay off the server over time. Usually, this is much cheaper than leasing servers. Think of lease-to-own as credit without interest.
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…
Despite its rising prevalence in the business world, "the cloud" is still misunderstood. Some companies still believe common misconceptions about lack of security in cloud solutions and many misuses of cloud storage options still occur every day. …
Suggested Courses

807 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question