Server Access Logs Missing Information

#1
We're currently running a two server setup, a web server and a database server, using Litespeed as well as Cloudflare.
About a month ago we enabled Cloudflare's rate limiting feature to block certain traffic that would try to ping a specific URL.
At the same time, we noticed some people were able to get around the rate limiting we had in place, and we asked Cloudflare how to fix this. They requested the access logs, however, the access logs contained Cloudflare IPs, since we never set Litespeed to store the original visitor IP. So Cloudflare asked us to restore the original visitor IPs in our logs.

We requested our host restore the original visitor IP, but one of the techs did something that completely wiped all data from the access logs. Now, all the access log reports is localhost IP address and empty data. We've contacted them to fix it, but now none of the techs know how to fix it.

Prior to March 27 (before we requested our host restore original visitor IP) it would log just fine like this:

Code:
108.162.245.157 - - [27/Mar/2018:08:51:51 -0400] "POST /facebook/leadads.php HTTP/1.1" 200 0 "-" "Webhooks/1.0 (https://fb.me/webhooks)" 4021fda448b52a31-SEA
162.158.111.58 - - [27/Mar/2018:08:51:51 -0400] "POST /facebook/leadads.php HTTP/1.1" 200 0 "-" "Webhooks/1.0 (https://fb.me/webhooks)" 4021fda34ae02b82-AMS
162.158.78.229 - - [27/Mar/2018:08:51:51 -0400] "GET /vs-full-4582db-4657.js HTTP/1.1" 200 492 "http://blog.uwinit.com/UWI_50_Sweepstakes_POP_OCT.html" "Mozilla/5.0 (iPhone; CPU iPhone OS 11_0_3 like Mac OS X) AppleWebKit/604.1.34 (KHTML, like Gecko) CriOS/65.0.3325.152 Mobile/15A432 Safari/604.1" 4021fda57db99f3c-IAD
108.162.246.20 - - [27/Mar/2018:08:51:51 -0400] "GET /vrlswp/full/4582db-4657?framed=1&ref=http%3A%2F%2Fwww.uwinit.com%2FPrize%2FIndex%2F17&hash= HTTP/1.1" 200 15468 "http://blog.uwinit.com/UWI_50_Sweepstakes_POP_OCT.html" "Mozilla/5.0 (iPhone; CPU iPhone OS 11_2_6 like Mac OS X) AppleWebKit/604.5.6 (KHTML, like Gecko) Version/11.0 Mobile/15D100 Safari/604.1" 4021fda48d352a43-SEA
108
Now, ever since they made a change, it logs like this:
Code:
127.0.0.1 - - [11/Apr/2018:06:07:03 -0400] "GET / HTTP/1.1" 200 111 "-" "-"
218.76.49.6 - - [11/Apr/2018:06:08:46 -0400] "GET /LoginPage.do HTTP/1.1" 404 10092 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;SV1)"
::1 - - [11/Apr/2018:06:09:01 -0400] "GET /whm-server-status HTTP/1.1" 404 10080 "-" "Lynx/2.8.8dev.15 libwww-FM/2.14 SSL-MM/1.4.1 OpenSSL/1.0.1e-fips"
127.0.0.1 - - [11/Apr/2018:06:09:03 -0400] "GET / HTTP/1.1" 200 111 "-" "-"
127.0.0.1 - - [11/Apr/2018:06:10:01 -0400] "GET /whm-server-status HTTP/1.1" 404 10053 "-" "-"
127.0.0.1 - - [11/Apr/2018:06:11:02 -0400] "GET / HTTP/1.1" 200 111 "-" "-"
::1 - - [11/Apr/2018:06:12:01 -0400] "GET /whm-server-status HTTP/1.1" 404 10080 "-" "Lynx/2.8.8dev.15 libwww-FM/2.14 SSL-MM/1.4.1 OpenSSL/1.0.1e-fips"
127.0.0.1 - - [11/Apr/2018:06:12:03 -0400] "GET / HTTP/1.1" 200 111 "-" "-"
127.0.0.1 - - [11/Apr/2018:06:14:03 -0400] "GET / HTTP/1.1" 200 111 "-" "-"
::1 - - [11/Apr/2018:06:15:01 -0400] "GET /whm-server-status HTTP/1.1" 404 10080 "-" "Lynx/2.8.8dev.15 libwww-FM/2.14 SSL-MM/1.4.1 OpenSSL/1.0.1e-fips"
127.0.0.1 - - [11/Apr/2018:06:15:01 -0400] "GET /whm-server-status HTTP/1.1" 404 10053 "-" "-"
127.0.0.1 - - [11/Apr/2018:06:15:41 -0400] "GET / HTTP/1.1" 200 111 "-" "-"
127.0.0.1 - - [11/Apr/2018:06:17:03 -0400] "GET / HTTP/1.1" 200 111 "-" "-"
::1 - - [11/Apr/2018:06:18:01 -0400] "GET /whm-server-status HTTP/1.1" 404 10080 "-" "Lynx/2.8.8dev.15 libwww-FM/2.14 SSL-MM/1.4.1 OpenSSL/1.0.1e-fips"
127.0.0.1 - - [11/Apr/2018:06:19:02 -0400] "GET / HTTP/1.1" 200 111 "-" "-"
127.0.0.1 - - [11/Apr/2018:06:20:01 -0400] "GET /whm-server-status HTTP/1.1" 404 10053 "-" "-"
::1 - - [11/Apr/2018:06:21:01 -0400] "GET /whm-server-status HTTP/1.1" 404 10080 "-" "Lynx/2.8.8dev.15 libwww-FM/2.14 SSL-MM/1.4.1 OpenSSL/1.0.1e-fips"
127.0.0.1 - - [11/Apr/2018:06:21:03 -0400] "GET / HTTP/1.1" 200 111 "-" "-"
127.0.0.1 - - [11/Apr/2018:06:22:03 -0400] "GET / HTTP/1.1" 200 111 "-" "-"
127.0.0.1 - - [11/Apr/2018:06:23:47 -0400] "GET / HTTP/1.1" 200 111 "-" "-"
::1 - - [11/Apr/2018:06:24:01 -0400] "GET /whm-server-status HTTP/1.1" 404 10080 "-" "Lynx/2.8.8dev.15 libwww-FM/2.14 SSL-MM/1.4.1 OpenSSL/1.0.1e-fips"
127.0.0.1 - - [11/Apr/2018:06:25:01 -0400] "GET /whm-server-status HTTP/1.1" 404 10053 "-" "-"
127.0.0.1 - - [11/Apr/2018:06:25:02 -0400] "GET / HTTP/1.1" 200 111 "-" "-"
::1 - - [11/Apr/2018:06:27:01 -0400] "GET /whm-server-status HTTP/1.1" 404 10080 "-" "Lynx/2.8.8dev.15 libwww-FM/2.14 SSL-MM/1.4.1 OpenSSL/1.0.1e-fips"
127.0.0.1 - - [11/Apr/2018:06:27:03 -0400] "GET / HTTP/1.1" 200 111 "-" "-"
127.0.0.1 - - [11/Apr/2018:06:28:10 -0400] "GET / HTTP/1.1" 200 111 "-" "-"
::1 - - [11/Apr/2018:06:30:01 -0400] "GET /whm-server-status HTTP/1.1" 404 10080 "-" "Lynx/2.8.8dev.15 libwww-FM/2.14 SSL-MM/1.4.1 OpenSSL/1.0.1e-fips"
127.0.0.1 - - [11/Apr/2018:06:30:01 -0400] "GET /whm-server-status HTTP/1.1" 404 10053 "-" "-"
127.0.0.1 - - [11/Apr/2018:06:30:02 -0400] "GET / HTTP/1.1" 200 111 "-" "-"
127.0.0.1 - - [11/Apr/2018:06:31:59 -0400] "GET / HTTP/1.1" 200 111 "-" "-"
::1 - - [11/Apr/2018:06:33:01 -0400] "GET /whm-server-status HTTP/1.1" 404 10080 "-" "Lynx/2.8.8dev.15 libwww-FM/2.14 SSL-MM/1.4.1 OpenSSL/1.0.1e-fips"
127.0.0.1 - - [11/Apr/2018:06:33:02 -0400] "GET / HTTP/1.1" 200 111 "-" "-"
I've already tried modifying the Litespeed settings for "Use Client IP in Header" to NO/YES/Trusted IP Only, and the log never changes when trying all different settings.

Any ideas on what to do here to fix this?
 
#3
It is a cpanel server.

I checked httpd.conf for log format and I see this:

Code:
<IfModule log_config_module>
    LogFormat "%{Referer}i -> %U" referer
    LogFormat "%{User-agent}i" agent
    # NOTE: "combined" and "common" are required by WHM
    LogFormat "%h %l %u %t \"%r\" %>s %b" common
    LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined

    # access_log format can be set in WHM under 'Basic cPanel & WHM Setup'
    CustomLog logs/access_log combined
</IfModule>
Again, I did not make the change to the access logs to cause them to return localhost IP and drop all data, so I am unsure what the original log format was. Any help would be greatly appreciated.
 

Pong

Well-Known Member
Staff member
#4
For cpanel, /etc/apache2/logs/access_log is server level access log, which more look like the format you mentioned.
Code:
127.0.0.1 - - [11/Apr/2018:06:25:02 -0400] "GET / HTTP/1.1" 200 111 "-" "-"
for domain level access log, you will need to check /etc/apache2/logs/domlogs/, which more look like your original format, combined format.
Code:
108.162.245.157 - - [27/Mar/2018:08:51:51 -0400] "POST /facebook/leadads.php HTTP/1.1" 200 0 "-" "Webhooks/1.0 (https://fb.me/webhooks)" 4021fda448b52a31-SEA
If you have further questions, better log a ticket with cpanel or ask cPanel support to change log to your desired log fomat.
 
Last edited by a moderator:

Pong

Well-Known Member
Staff member
#6
Better upgrade to latest version of 5.2.6 firstly.
What IPs showing in your log then? CloudFlare IPs?
 
Top