mod_log_sql 2.0 Documentation

Home » Projects » Apache » Mod_log_sql » Docs-2.0 » mod_log_sql 2.0 Documentation

Prev: Instructing the module what to log --- Up: How to tune logging with run-time directives

Instructing the module what NOT to log using filtering directives

One "accept" and two "ignore" directives allow you to fine-tune what the module should not log. These are very handy for keeping your database as uncluttered as possible and keeping your statistics free of unneeded numbers. Think of each one as a gatekeeper.

It is important to remember that each of these three directives is purely optional. mod_log_sql's default is to log everything.

When a request comes in, the contents of LogSQLRequestAccept are evaluated first. This optional, "blanket" directive lets you specify that only certain things are to be accepted for logging, and everything else discarded. Because it is evaluated before LogSQLRequestIgnore and LogSQLRemhostIgnore it can halt logging before those two filtering directives "get their chance."

Once a request makes it past LogSQLRequestAccept, it still can be excluded based on LogSQLRemhostIgnore and LogSQLRequestIgnore. A good way to use LogSQLRemhostIgnore is to prevent the module from logging the traffic that your internal hosts generate. LogSQLRequestIgnore is great for preventing things like requests for "favicon.ico" from cluttering up your database, as well as excluding the various requests that worms make, etc.

You can specify a series of strings after each directive. Do not use any type of globbing or regular-expression syntax -- each string is considered a match if it is a substring of the larger request or remote-host; the comarison is case-sensitive . This means that "LogSQLRemhostIgnore micro" will ignore requests from "microsoft.com," "microworld.net," "mymicroscope.org," etc. "LogSQLRequestIgnore gif" will instruct the module to ignore requests for "leftbar.gif," "bluedot.gif" and even "giftwrap.jpg" -- but "RED.GIF" and "Tree.Gif" would still get logged because of case sensitivity.

A summary of the decision flow:

  1. If LogSQLRequestAccept exists and a request does not match anything in that list, it is discarded.

  2. If a request matches anything in the LogSQLRequestIgnore list, it is discarded.

  3. If a reqiest matches anything in the LogSQLRemhostIgnore list, it is discarded.

  4. Otherwise the request is logged.

This means that you can have a series of directives similar to the following:

LogSQLRequestAccept .html .gif .jpg
LogSQLRequestIgnore statistics.html bluedot.jpg

So the first line instructs the module to only log files with html, gif and jpg suffixes; requests for "formail.cgi" and "shopping-cart.pl" will never be considered for logging. ("LeftArrow.JPG" will also never be considered for logging -- remember, the comparison is case sensitive.) The second line prunes the list further -- you never want to log requests for those two objects.

[Tip]
  • If you want to match all the hosts in your domain such as "host1.corp.foo.com" and "server.dmz.foo.com", simply specify:

    LogSQLRemhostIgnore foo.com
  • A great way to catch the vast majority of worm-attack requests and prevent them from being logged is to specify:

    LogSQLRequestIgnore root.exe cmd.exe default.ida
  • To prevent the logging of requests for common graphic types, make sure to put a '.' before the suffix to avoid matches that you didn't intend:

    LogSQLRequestIgnore .gif .jpg