Server Access Logs Missing Information

Discussion in 'Install/Configuration' started by Giancarlo, Apr 11, 2018.

  1. Giancarlo

    Giancarlo New Member

    We're currently running a two server setup, a web server and a database server, using Litespeed as well as Cloudflare.
    About a month ago we enabled Cloudflare's rate limiting feature to block certain traffic that would try to ping a specific URL.
    At the same time, we noticed some people were able to get around the rate limiting we had in place, and we asked Cloudflare how to fix this. They requested the access logs, however, the access logs contained Cloudflare IPs, since we never set Litespeed to store the original visitor IP. So Cloudflare asked us to restore the original visitor IPs in our logs.

    We requested our host restore the original visitor IP, but one of the techs did something that completely wiped all data from the access logs. Now, all the access log reports is localhost IP address and empty data. We've contacted them to fix it, but now none of the techs know how to fix it.

    Prior to March 27 (before we requested our host restore original visitor IP) it would log just fine like this:

    Code:
    108.162.245.157 - - [27/Mar/2018:08:51:51 -0400] "POST /facebook/leadads.php HTTP/1.1" 200 0 "-" "Webhooks/1.0 (https://fb.me/webhooks)" 4021fda448b52a31-SEA
    162.158.111.58 - - [27/Mar/2018:08:51:51 -0400] "POST /facebook/leadads.php HTTP/1.1" 200 0 "-" "Webhooks/1.0 (https://fb.me/webhooks)" 4021fda34ae02b82-AMS
    162.158.78.229 - - [27/Mar/2018:08:51:51 -0400] "GET /vs-full-4582db-4657.js HTTP/1.1" 200 492 "http://blog.uwinit.com/UWI_50_Sweepstakes_POP_OCT.html" "Mozilla/5.0 (iPhone; CPU iPhone OS 11_0_3 like Mac OS X) AppleWebKit/604.1.34 (KHTML, like Gecko) CriOS/65.0.3325.152 Mobile/15A432 Safari/604.1" 4021fda57db99f3c-IAD
    108.162.246.20 - - [27/Mar/2018:08:51:51 -0400] "GET /vrlswp/full/4582db-4657?framed=1&ref=http%3A%2F%2Fwww.uwinit.com%2FPrize%2FIndex%2F17&hash= HTTP/1.1" 200 15468 "http://blog.uwinit.com/UWI_50_Sweepstakes_POP_OCT.html" "Mozilla/5.0 (iPhone; CPU iPhone OS 11_2_6 like Mac OS X) AppleWebKit/604.5.6 (KHTML, like Gecko) Version/11.0 Mobile/15D100 Safari/604.1" 4021fda48d352a43-SEA
    108
    Now, ever since they made a change, it logs like this:
    Code:
    127.0.0.1 - - [11/Apr/2018:06:07:03 -0400] "GET / HTTP/1.1" 200 111 "-" "-"
    218.76.49.6 - - [11/Apr/2018:06:08:46 -0400] "GET /LoginPage.do HTTP/1.1" 404 10092 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;SV1)"
    ::1 - - [11/Apr/2018:06:09:01 -0400] "GET /whm-server-status HTTP/1.1" 404 10080 "-" "Lynx/2.8.8dev.15 libwww-FM/2.14 SSL-MM/1.4.1 OpenSSL/1.0.1e-fips"
    127.0.0.1 - - [11/Apr/2018:06:09:03 -0400] "GET / HTTP/1.1" 200 111 "-" "-"
    127.0.0.1 - - [11/Apr/2018:06:10:01 -0400] "GET /whm-server-status HTTP/1.1" 404 10053 "-" "-"
    127.0.0.1 - - [11/Apr/2018:06:11:02 -0400] "GET / HTTP/1.1" 200 111 "-" "-"
    ::1 - - [11/Apr/2018:06:12:01 -0400] "GET /whm-server-status HTTP/1.1" 404 10080 "-" "Lynx/2.8.8dev.15 libwww-FM/2.14 SSL-MM/1.4.1 OpenSSL/1.0.1e-fips"
    127.0.0.1 - - [11/Apr/2018:06:12:03 -0400] "GET / HTTP/1.1" 200 111 "-" "-"
    127.0.0.1 - - [11/Apr/2018:06:14:03 -0400] "GET / HTTP/1.1" 200 111 "-" "-"
    ::1 - - [11/Apr/2018:06:15:01 -0400] "GET /whm-server-status HTTP/1.1" 404 10080 "-" "Lynx/2.8.8dev.15 libwww-FM/2.14 SSL-MM/1.4.1 OpenSSL/1.0.1e-fips"
    127.0.0.1 - - [11/Apr/2018:06:15:01 -0400] "GET /whm-server-status HTTP/1.1" 404 10053 "-" "-"
    127.0.0.1 - - [11/Apr/2018:06:15:41 -0400] "GET / HTTP/1.1" 200 111 "-" "-"
    127.0.0.1 - - [11/Apr/2018:06:17:03 -0400] "GET / HTTP/1.1" 200 111 "-" "-"
    ::1 - - [11/Apr/2018:06:18:01 -0400] "GET /whm-server-status HTTP/1.1" 404 10080 "-" "Lynx/2.8.8dev.15 libwww-FM/2.14 SSL-MM/1.4.1 OpenSSL/1.0.1e-fips"
    127.0.0.1 - - [11/Apr/2018:06:19:02 -0400] "GET / HTTP/1.1" 200 111 "-" "-"
    127.0.0.1 - - [11/Apr/2018:06:20:01 -0400] "GET /whm-server-status HTTP/1.1" 404 10053 "-" "-"
    ::1 - - [11/Apr/2018:06:21:01 -0400] "GET /whm-server-status HTTP/1.1" 404 10080 "-" "Lynx/2.8.8dev.15 libwww-FM/2.14 SSL-MM/1.4.1 OpenSSL/1.0.1e-fips"
    127.0.0.1 - - [11/Apr/2018:06:21:03 -0400] "GET / HTTP/1.1" 200 111 "-" "-"
    127.0.0.1 - - [11/Apr/2018:06:22:03 -0400] "GET / HTTP/1.1" 200 111 "-" "-"
    127.0.0.1 - - [11/Apr/2018:06:23:47 -0400] "GET / HTTP/1.1" 200 111 "-" "-"
    ::1 - - [11/Apr/2018:06:24:01 -0400] "GET /whm-server-status HTTP/1.1" 404 10080 "-" "Lynx/2.8.8dev.15 libwww-FM/2.14 SSL-MM/1.4.1 OpenSSL/1.0.1e-fips"
    127.0.0.1 - - [11/Apr/2018:06:25:01 -0400] "GET /whm-server-status HTTP/1.1" 404 10053 "-" "-"
    127.0.0.1 - - [11/Apr/2018:06:25:02 -0400] "GET / HTTP/1.1" 200 111 "-" "-"
    ::1 - - [11/Apr/2018:06:27:01 -0400] "GET /whm-server-status HTTP/1.1" 404 10080 "-" "Lynx/2.8.8dev.15 libwww-FM/2.14 SSL-MM/1.4.1 OpenSSL/1.0.1e-fips"
    127.0.0.1 - - [11/Apr/2018:06:27:03 -0400] "GET / HTTP/1.1" 200 111 "-" "-"
    127.0.0.1 - - [11/Apr/2018:06:28:10 -0400] "GET / HTTP/1.1" 200 111 "-" "-"
    ::1 - - [11/Apr/2018:06:30:01 -0400] "GET /whm-server-status HTTP/1.1" 404 10080 "-" "Lynx/2.8.8dev.15 libwww-FM/2.14 SSL-MM/1.4.1 OpenSSL/1.0.1e-fips"
    127.0.0.1 - - [11/Apr/2018:06:30:01 -0400] "GET /whm-server-status HTTP/1.1" 404 10053 "-" "-"
    127.0.0.1 - - [11/Apr/2018:06:30:02 -0400] "GET / HTTP/1.1" 200 111 "-" "-"
    127.0.0.1 - - [11/Apr/2018:06:31:59 -0400] "GET / HTTP/1.1" 200 111 "-" "-"
    ::1 - - [11/Apr/2018:06:33:01 -0400] "GET /whm-server-status HTTP/1.1" 404 10080 "-" "Lynx/2.8.8dev.15 libwww-FM/2.14 SSL-MM/1.4.1 OpenSSL/1.0.1e-fips"
    127.0.0.1 - - [11/Apr/2018:06:33:02 -0400] "GET / HTTP/1.1" 200 111 "-" "-"
    
    I've already tried modifying the Litespeed settings for "Use Client IP in Header" to NO/YES/Trusted IP Only, and the log never changes when trying all different settings.

    Any ideas on what to do here to fix this?
     
  2. Pong

    Pong Well-Known Member Staff Member

  3. Giancarlo

    Giancarlo New Member

    It is a cpanel server.

    I checked httpd.conf for log format and I see this:

    Code:
    <IfModule log_config_module>
        LogFormat "%{Referer}i -> %U" referer
        LogFormat "%{User-agent}i" agent
        # NOTE: "combined" and "common" are required by WHM
        LogFormat "%h %l %u %t \"%r\" %>s %b" common
        LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
    
        # access_log format can be set in WHM under 'Basic cPanel & WHM Setup'
        CustomLog logs/access_log combined
    </IfModule>
    
    Again, I did not make the change to the access logs to cause them to return localhost IP and drop all data, so I am unsure what the original log format was. Any help would be greatly appreciated.
     
  4. Pong

    Pong Well-Known Member Staff Member

    For cpanel, /etc/apache2/logs/access_log is server level access log, which more look like the format you mentioned.
    Code:
    127.0.0.1 - - [11/Apr/2018:06:25:02 -0400] "GET / HTTP/1.1" 200 111 "-" "-"
    for domain level access log, you will need to check /etc/apache2/logs/domlogs/, which more look like your original format, combined format.
    Code:
    108.162.245.157 - - [27/Mar/2018:08:51:51 -0400] "POST /facebook/leadads.php HTTP/1.1" 200 0 "-" "Webhooks/1.0 (https://fb.me/webhooks)" 4021fda448b52a31-SEA
    If you have further questions, better log a ticket with cpanel or ask cPanel support to change log to your desired log fomat.
     
    Last edited by a moderator: Apr 16, 2018
  5. Giancarlo

    Giancarlo New Member

    Last edited by a moderator: Apr 16, 2018
  6. Pong

    Pong Well-Known Member Staff Member

    Better upgrade to latest version of 5.2.6 firstly.
    What IPs showing in your log then? CloudFlare IPs?
     
  7. Giancarlo

    Giancarlo New Member

    Updating to the latest version and then restarting litespeed seems to have done the trick, the correct IPS are coming in now. Thanks!
     

Share This Page