I have an apache web server which is configured to allow access via client certificate to only a few people. I cannot lock down by IP because the certificate holders could potentially connect from anywhere.
Apache currently returns 403 to anyone not presenting a valid certificate or trying to access an invalid URL, but since the machine has no ACL restrictions it is frequently scanned for vulnerabilities. These scans cause quite a lot of noise in the logs.
Is there a way to log to a different file based on the response code? Is it possible to send all logging for requests which result in a 403 to a different file?
You can get Apache to pipe the custom log to a script. So for example, change the CustomLog entry in the vhost to:
CustomLog "|/path/to/script"The you can have a script that does something like:
#!/usr/bin/perl while ($log = <STDIN>) { if ($log =~ /403/) { open(LOG, '>>/path/to/403log'); print LOG $log; close(LOG); } else { open(LOG, '>>/path/to/mainlog'); print $log LOG; close(LOG); } }The above script is untested, but it should give you an idea of what you can do.