Menu

#187 Apache http error 408 causes awstats to fail

closed
Laurent Destailleur (Eldy)
Bad values reported (152)
2
2020-01-13
2003-06-02
CoreOne
No

When Apache gets too many 408 errors at the
beginning of its log file, awstats complains about the log
file not being in the correct format and will not proceed
until the leading 408 errors are removed. 408 errors later
in the log file are processed (apparently) as corrupted
lines. The 408 error lines are of the following format:

xxx.xxx.xxx.xxx - - [01/Jun/2003:04:49:08 -0400] "-"
408 - "-" "-

This is in the correct format (LogFormat=1, Apache
combined format), but since there is no real data it
errors out. This 408 traffic is conjectured to be caused
by CodeRed attempts that are detected by firewalls or
routers and have their payloads dropped (see
http://cert.uni-
stuttgart.de/archive/incidents/2002/02/msg00015.html).
I'm not exactly sure this would be a bug or just
something that needs to be dealt with by the end-user of
awstats, but I wanted to give a heads-up anyways.

Excellent software, BTW...

Thanks.

Discussion

  • Laurent Destailleur (Eldy)

    Laurent Destailleur (Eldy) - 2003-06-13

    Logged In: YES
    user_id=96898

    to avoid this you can increase parameter
    NbOfLinesForCorruptedLog=50
    to
    NbOfLinesForCorruptedLog=10000
    for example.

     

  • Jan Grewe

    Jan Grewe - 2012-11-20

    Just FYI, this is still happening... 

    Error while processing /etc/awstats/awstats.faked.org.conf
Create/Update database for config "/etc/awstats/awstats.faked.org.conf" by AWStats version 7.0 (build 1.971)
From data in log file "/var/log/apache2/access.log"...
Phase 1 : First bypass old records, searching new record...
Direct access after last parsed record (after line 26920)
AWStats did not find any valid log lines that match your LogFormat parameter, in the 50th first non commented lines read of your log.
Your log file /var/log/apache2/access.log must have a bad format or LogFormat parameter setup does not match this format.
Your AWStats LogFormat parameter is:
1
This means each line in your web server log file need to have "combined log format" like this:
111.22.33.44 - - [10/Jan/2001:02:14:14 +0200] "GET / HTTP/1.1" 200 1234 "http://www.fromserver.com/from.htm" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"
And this is an example of records AWStats found in your log file (the record number 50 in your log):
67.140.151.166 - - [20/Nov/2012:03:19:18 +0100] "-" 408 0 "-" "-"
Setup ('/etc/awstats/awstats.faked.org.conf' file, web server or permissions) may be wrong.
Check config file, permissions and AWStats documentation (in 'docs' directory).

    ... and it was only 2 lines in the whole log!

     

    Last edit: Jan Grewe 2012-11-20

  • Alexis Wilke

    Alexis Wilke - 2020-01-13

    This is still happening.

    I don't think that having a really large number in NbOfLinesForCorruptedLog would ever be a good solution.

    You should be able to ignore 408 entries. Actually, as a stat tool, you should count them and show them in our reports.

    Especially, newer versions of Apache now have better handling of the slowloris attacks and will generate more 408 errors as a result.

     

Log in to post a comment.

MongoDB Logo MongoDB