# Apache模块 mod_log_forensic | [说明](#calibre_link-11) | 实现"对比日志"，即在请求被处理之前和处理完成之后进行两次记录 | | --- | --- | | [状态](#calibre_link-12) | 扩展(E) | | [模块名](#calibre_link-13) | log_forensic_module | | [源文件](#calibre_link-14) | mod_log_forensic.c | | [兼容性](#calibre_link-58) | `mod_unique_id` is no longer required since version 2.1 | ### 概述 This module provides for forensic logging of client requests. Logging is done before and after processing a request, so the forensic log contains two log lines for each request. The forensic logger is very strict, which means: * The format is fixed. You cannot modify the logging format at runtime. * If it cannot write its data, the child process exits immediately and may dump core (depending on your `CoreDumpDirectory` configuration). `check_forensic` script, which can be found in the distribution's support directory, may be helpful in evaluating the forensic log output. ## Forensic Log Format Each request is logged two times. The first time is _before_ it's processed further (that is, after receiving the headers). The second log entry is written _after_ the request processing at the same time where normal logging occurs. In order to identify each request, a unique request ID is assigned. This forensic ID can be cross logged in the normal transfer log using the `%{forensic-id}n` format string. If you're using `mod_unique_id`, its generated ID will be used. The first line logs the forensic ID, the request line and all received headers, separated by pipe characters (`|`). A sample line looks like the following (all on one line): ``` +yQtJf8CoAB4AAFNXBIEAAAAA|GET /manual/de/images/down.gif HTTP/1.1|Host:localhost%3a8080|User-Agent:Mozilla/5.0 (X11; U; Linux i686; en-US; rv%3a1.6) Gecko/20040216 Firefox/0.8|Accept:image/png, <var class="calibre40">etc...</var> ``` The plus character at the beginning indicates that this is the first log line of this request. The second line just contains a minus character and the ID again: ``` -yQtJf8CoAB4AAFNXBIEAAAAA ``` `check_forensic` script takes as its argument the name of the logfile. It looks for those `+`/`-` ID pairs and complains if a request was not completed. ## Security Considerations See the [security tips](#calibre_link-281) document for details on why your security could be compromised if the directory where logfiles are stored is writable by anyone other than the user that starts the server. ## ForensicLog 指令 | [说明](#calibre_link-18) | Sets filename of the forensic log | | --- | --- | | [语法](#calibre_link-19) | `ForensicLog filename&#124;pipe` | | [作用域](#calibre_link-20) | server config, virtual host | | [状态](#calibre_link-21) | 扩展(E) | | [模块](#calibre_link-22) | mod_log_forensic | `ForensicLog` directive is used to log requests to the server for forensic analysis. Each log entry is assigned a unique ID which can be associated with the request using the normal `CustomLog` directive. `mod_log_forensic` creates a token called `forensic-id`, which can be added to the transfer log using the `%{forensic-id}n` format string. The argument, which specifies the location to which the logs will be written, can take one of the following two types of values: filename A filename, relative to the `ServerRoot`. pipe The pipe character "`|`", followed by the path to a program to receive the log information on its standard input. The program name can be specified relative to the `ServerRoot` directive. ### 安全 If a program is used, then it will be run as the user who started `httpd`. This will be root if the server was started by root; be sure that the program is secure or switches to a less privileged user. ### 注意 When entering a file path on non-Unix platforms, care should be taken to make sure that only forward slashed are used even though the platform may allow the use of back slashes. In general it is a good idea to always use forward slashes throughout the configuration files.