NYCPHP Meetup

[Matt Morgan]

csnyder wrote:

>On 3/22/06, Matt Morgan <matt at jiffycomp.com> wrote:
>  
>
>>This is php-related in that lots of php-based web applications (more
>>than one wiki, drupal, mambo & maybe joomla) share the issue. Although
>>it may not really be a php problem. I've also seen it in htdig, the open
>>source web indexing/searching tool. Has anybody seen it & dealt with it?
>>
>>Here's the issue. Logwatch, which I have installed on some CentOS 4.2
>>and Fedora Core 3 & 4 servers that I help out with, reports on many
>>funny log entries. It's a great example of how Unix/Linux admin has
>>gotten lots better since I started out. Among the entries it likes to
>>keep me informed of is this http response code issue, generated by a
>>chat module in drupal:
>>
>>-------
>>A total of 11934 unidentified 'other' records logged
>>   with response code(s)
>>  GET /chatbox/text?nickname=jtrant&limit=30&lastrefresh=1142823531
>>HTTP/1.1 with response code(s) 2 200 responses
>>  GET /chatbox/nicklist&forcerefresh=9317 HTTP/1.1 with response code(s)
>>2 200 responses
>>--------
>>
>>The problem is the "2 200 responses." Is that one page returning two
>>success codes? I don't really know where it comes from. Anyway, I've
>>seen this before, but when it goes on for 12000 messages, the logwatch
>>reports are too big and too hard to read.
>>
>>According to some googling I've done, one may edit logwatch's http
>>script and tell it to filter using some other method. But that sounds
>>hard (an endless road of modifying the script every time a new app comes
>>out?) and I have a feeling this is not really logwatch's fault--where
>>does that funny http response code come from, and why is it getting more
>>and more common? On this page
>>
>>https://www.redhat.com/archives/fedora-list/2004-December/msg05044.html
>>
>>someone attempts an explanation, but it doesn't sound realistic to me
>>(unless I just don't understand what he means).
>>
>>Thanks,
>>Matt
>>    
>>
>
>In theory it means two HTTP 200 responses. They aren't "funny" -- the
>200 response code means a successful request.
>http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html
>  
>
Sure, but two or more responses for one request is funny. (If that's 
what is really happening here--I don't really understand it.)

>In my opinion, the reporting of HTTP 200 responses is a bug -- why
>does any admin care about successful responses? I emailed the logwatch
>authors about this in January but got no response. I even tried
>hacking the script myself, but I wasn't successful.
>  
>
So I suppose I shouldn't have much hope that he'll write me back either. 
But it's heartening to know I'm not the only one who cares!

>If you come up with a solution, please let me know.
>  
>
Someone on another list suggested this is in the 
/path/to/logwatch/conf/services/http.conf:

*Remove = "text to match in lines to remove before processing"

But I can't find any documentation of that, in either the man page or 
the docs on logwatch.org. So I tried it, but I think it's equally as 
likely that it will break logwatch as that it will work. I'll know by 
tomorrow & will post to let you know.

Thanks!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20060322/f697c4e2/attachment.html>