On Dec 18, 2007 7:36 PM, Joshua Slive <[EMAIL PROTECTED]> wrote:

>
> The point of mod_log_forensic is to run it after an apache crash to
> see what requests were in play at the time of the crash. One way for
> you to do that would be to monitor memory usage on the apache box and
> kill -9 the server when things look to be getting out of control. Then
> you run check_forensic to see if you can find the cause.


Hi Joshua,

Ok we got another crash and our shared web servers (running under UML) was
unaccessible, however this time mod_forensic logging to a file.

Below is the logs when httpd bring the vm to its knees then i have to
restart it, i have replace the Host with 'xxx' just to protect our company
hosting.

Please let me know what would be action strategy now.

+10d8:476979f0:39a|POST /forum/posting.php
HTTP/1.0|Accept:*/*|User-Agent:Mozilla/4.0 (compatible; MSIE 4.01; Digital
AlphaServer 1000A 4/233; Windows NT; Powered By 64-Bit Alpha
Processor)|Referer:http%3a//www.xxx.com/forum/posting.php?mode=newtopic&f=12&sid=dd4189290cb614c55071a463743df2cd|Content-Type:application/x-www-form-urlencoded|Host:
www.xxx.com|Content-Length:59423|Pragma:no-cache|Cookie:phpbb2mysql_data=a%253A2%253A%257Bs%253A11%253A%2522autologinid%2522%253Bs%253A0%253A%2522%2522%253Bs%253A6%253A%2522userid%2522%253Bs%253A5%253A%252214567%2522%253B%257D;
phpbb2mysql_sid=dd4189290cb614c55071a463743df2cd
+133e:476c9678:3|GET
/forum/viewtopic.php?p=51500&sid=578b164651a42205e13907ad29ee6c1f
HTTP/1.1|Host:www.xxx.com|Connection:Keep-alive|Accept:*/*|From:googlebot(at)googlebot.com|User-Agent:Mozilla/5.0
(compatible; Googlebot/2.1;
+http%3a//www.google.com/bot.html)|Accept-Encoding:gzip
+1341:476c9629:1|GET /app/cs.php?c=gb&pno=0 HTTP/1.0|Accept:image/gif,
image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash,
*/*|Accept-Language:en|Accept-Encoding:gzip, deflate|User-Agent:Mozilla/4.0
(compatible; MSIE 6.0; Windows NT 5.1)|Host:www.xxx.com
+13c0:476c96a0:0|GET /app/cs.php?c=gb&pno=0 HTTP/1.1|Accept:image/gif,
image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash,
*/*|Accept-Language:en|Accept-Encoding:gzip, deflate|User-Agent:Mozilla/4.0
(compatible; MSIE 6.0; Windows NT 5.1)|Host:
www.xxx.com|Cache-Control:max-stale=0|Connection:close|X-BlueCoat-Via:3EFBBB6A4CC354A7
+1bd5:47697260:1b0|POST /forum/posting.php
HTTP/1.0|Accept:*/*|User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT
5.1; SV1; .NET CLR 1.1.4322; XMPP Tiscali Communicator v.10.0.2; .NET CLR
2.0.50727
)|Referer:http%3a//www.xxx.com/forum/posting.php?mode=newtopic&f=12&sid=58b841154dc1bc186be53e6712dcf5d6|Content-Type:application/x-www-form-urlencoded|Host:
www.xxx.com|Content-Length:56738|Pragma:no-cache|Cookie:phpbb2mysql_data=a%253A2%253A%257Bs%253A11%253A%2522autologinid%2522%253Bs%253A0%253A%2522%2522%253Bs%253A6%253A%2522userid%2522%253Bs%253A5%253A%252214564%2522%253B%257D;
phpbb2mysql_sid=58b841154dc1bc186be53e6712dcf5d6
+30e0:476c95af:3f1|GET /app/cs.php?c=gb&pno=0 HTTP/1.0|Accept:image/gif,
image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash,
*/*|Accept-Language:en|Accept-Encoding:gzip, deflate|User-Agent:Mozilla/4.0
(compatible; MSIE 6.0; Windows NT 5.1)|Host:www.xxx.com
+3751:476c9585:3a2|GET /app/cs.php?c=gb&pno=0 HTTP/1.0|Accept:image/gif,
image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash,
*/*|Accept-Language:en|Accept-Encoding:gzip, deflate|User-Agent:Mozilla/4.0
(compatible; MSIE 6.0; Windows NT 5.1)|Host:www.xxx.com
+37b5:476c9681:3b9|GET /
HTTP/1.1|Accept:*/*|Referer:http%3a//click.betafoxsearch.com/click/?dT0xNS4yMy45MzQ2ODgyLjI0NC4xJTdDNzY4NCU3QzE2OTk5JTdDMDAxMDg5Mjk0NjU4MjclN0MyNjAwOTAwMyU3QyU3QyU3QzU4JTdDJm51bWJlcj00JTNBNCZhZHRpdGxlPUNyZWF0ZSUyMGElMjBmcmVlJTIwbmV3c2xldHRlciUyMGZvciUyMHlvdXIlMjBjb25kbyUyMG9yJTIwY28tb3AmYWR1cmw9aHR0cCUzQSUyRiUyRnd3dy5teWNvbmRvbmV3c2xldHRlci5jb20mYWRib2R5PU15Q29uZG9OZXdzbGV0dGVyLmNvbSUyMGlzJTIwYSUyMGZyZWUlMjBzZXJ2aWNlJTIwZm9yJTIwY29uZG8lMjBhbmQlMjBjby1vcCUyMHJlc2lkZW50cyUyMHRvJTIwaW50ZXJhY3QlMjBvbmxpbmUuJTIwV2UlMjBwcm92aWRlJTIwYSUyMGZyZWUlMjBuZXdzbGV0dGVyJTIwYW55JTIwcmVzaWRlbnQlMjBjYW4lMjBhY2Nlc3MlMjB3aXRob3V0JTIwY2hhcmdlLiY=|Accept-Language:en-us|Accept-Encoding:gzip,
deflate|User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1;
FunWebProducts; .NET CLR 1.1.4322)|Connection:Keep-Alive|Host:
www.mycondonewsletter.com
+3adb:476c95a3:385|GET /app/cs.php?c=gb&pno=0 HTTP/1.0|Accept:image/gif,
image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash,
*/*|Accept-Language:en|Accept-Encoding:gzip, deflate|User-Agent:Mozilla/4.0
(compatible; MSIE 6.0; Windows NT 5.1)|Host:www.xxx.com
+4e1c:47680f0e:18c|GET /app/cs.php?c=mpage&id=1125&catid=2&mid=113
HTTP/1.1|Host:www.xxx.com|User-Agent:Mozilla/4.0 (compatible; MSIE 6.0;
Windows NT 5.1;
SV1)|Accept:text/xml,application/xml,application/xhtml+xml,text/html;q=0.9
,text/plain;q=0.8,image/png,*/*;q=0.5|Connection:close
+512b:47695866:464|POST /forum/posting.php
HTTP/1.0|Accept:*/*|User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT
5.1; .NET CLR 1.1.4322;
FDM)|Referer:http%3a//www.xxx.com/forum/posting.php?mode=newtopic&f=12&sid=dd19e39ca20bd404017e222fe1e06f04|Content-Type:application/x-www-form-urlencoded|Host:
www.xxx.com|Content-Length:58997|Pragma:no-cache|Cookie:phpbb2mysql_data=a%253A2%253A%257Bs%253A11%253A%2522autologinid%2522%253Bs%253A0%253A%2522%2522%253Bs%253A6%253A%2522userid%2522%253Bs%253A5%253A%252214553%2522%253B%257D;
phpbb2mysql_sid=dd19e39ca20bd404017e222fe1e06f04
+7e4e:476c95e5:c1|GET /app/cs.php?c=gb&pno=0 HTTP/1.1|Accept:image/gif,
image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash,
*/*|Accept-Language:en|Accept-Encoding:gzip, deflate|User-Agent:Mozilla/4.0
(compatible; MSIE 6.0; Windows NT 5.1)|Host:
www.xxx.com|Cache-Control:max-stale=0|Connection:Keep-Alive|X-BlueCoat-Via:3EFBBB6A4CC354A7
+7f31:476c9682:b5|GET /app/cs.php?c=gb&pno=0 HTTP/1.0|Accept:image/gif,
image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash,
*/*|Accept-Language:en|Accept-Encoding:gzip, deflate|User-Agent:Mozilla/4.0
(compatible; MSIE 6.0; Windows NT 5.1)|Host:www.xxx.com


Thanks.
Askar

Reply via email to