Vendors Apache Software Foundation Apache HTTP Server Apache Forensic Log

Apache Forensic Log

Detailed request/response logging for security analysis

Apache HTTP Server forensic logs from mod_log_forensic, providing detailed request/response logging with unique request IDs for security analysis and debugging. Forensic logs contain two log lines per request (before and after processing) with strict formatting.

forensic security debugging request-logging mod_log_forensic

PLAIN TEXT Format 11 Fields Medium Frequency Generator

Preview Sample View Schema

Overview

Apache forensic logs from mod_log_forensic module provide detailed request and response logging with unique request IDs. Each request generates two log entries: one before processing (marked with '+') and one after processing (marked with '-'), enabling correlation and security analysis.

When Generated:

When mod_log_forensic module is enabled in Apache configuration
For every HTTP request processed by the server
Before and after request processing for debugging and security analysis

Security Relevance:

High

Compliance:

NIST 800-53 (AU-2, AU-6) ISO 27001 (A.12.4.1) PCI-DSS (10.2) SOC 2 (CC7.2)

Frequency Notes:

Forensic logs generate two entries per request (before and after processing), effectively doubling the log volume compared to standard access logs. Typically enabled for security-sensitive environments or during troubleshooting. Frequency matches HTTP request patterns with higher volume during business hours.

Resources

Documentation

Generation Configuration

Base Frequency: 150 events/hour

Time Patterns:

business_hours night_hours weekend

Business Hours Multiplier: 2.5x

Night Hours Multiplier: 0.5x

Weekend Multiplier: 0.4x

Field Definitions

Complete field reference for this event type with data types, descriptions, and example values.

Field Name	Type	Required	Format	Description	Example	Possible Values
Request ID Source: random_hex(16)	String	Required	`Hexadecimal string (16 characters)`	Unique identifier for correlating request/response pairs	`a1b2c3d4e5f6g7h8`	—
Client IP Source: random_private_ip()	String	Required	`IPv4 address`	IP address of the client making the request	`192.168.1.100`	—
Timestamp Source: now() \| format_datetime('%Y-%m-%d %H:%M:%S')	DateTime	Required	`YYYY-MM-DD HH:MM:SS`	Timestamp when the request was logged	`2025-01-15 14:23:45`	—
HTTP Method	String	Required	—	HTTP request method	`GET`	`GET` `POST` `PUT` `DELETE` `HEAD` `OPTIONS`
Request URI Source: random_choice of common paths	String	Required	—	Requested URI path	`/api/users`	—
HTTP Version	String	Required	—	HTTP protocol version	`HTTP/1.1`	`HTTP/1.1` `HTTP/2.0`
Status Code Source: random_choice of common status codes	Integer	Required	—	HTTP response status code	`200`	—
Response Size Source: random_int(0, 500000)	Integer	Required	—	Size of response in bytes	`12345`	—
User Agent Source: random_choice of common user agents	String	Required	—	Client user agent string	`Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36`	—
Server IP Source: random_private_ip()	String	Required	`IPv4 address`	IP address of the server handling the request	`10.0.0.1`	—
Server Port	Integer	Required	—	Port number the server is listening on	`443`	`80` `443` `8080` `8443`

Details

Fields

Medium

Frequency

Feedback

No ratings yet