garbled log entries - scheme UNKNOWN

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

garbled log entries - scheme UNKNOWN

tomr
Hi,

I'm seeing a ton of log entries with scheme "UNKNOWN", a garbled HTTP
response code (circa 20 chars long), and not a huge amount of the detail
I'd normally expect - apart from client ip, which appears sensible.

A lot of the requests come from our own monitoring infrastructure, so
there's a decent chance I'll be able to reproduce (though I can't yet).

Does anyone have any suggestions about where I could start looking?

We're using ATS 7.0.0, and seeing this for about 0.5% of log lines on a
few million hits per day.

Log format is: %<chi> %<caun> [%<cqtn>] \"%<cqhm> /%<cqup> %<cqhv>\"
%<cqus> %<{Host}cqh> %<pssc> %<pscl> \"%<{User-Agent}cqh>\" %<crc>
%<psct> %<pqsn> %<ttms> %<cquc>

And an example bogus logline (with IP replaced) is:
0.0.0.0 - [09/Oct/2017:07:22:59 -0000] "- /- HTTP/1.0" UNKNOWN
8242834443987517485 0 "" ERROR_UNKNOWN(7811903955520716845) Z -
7587266184633188397 ��

tia,
Tom
Reply | Threaded
Open this post in threaded view
|

Re: garbled log entries - scheme UNKNOWN

Pablo Fischer
I'm going to guess that the unknown ones could be http1.0 while your server expects 1.1 so maybe those unknown are indeed from your monitoring and are not sending host header and/or 1.0?

On Mon, Oct 9, 2017 at 4:50 PM tomr <[hidden email]> wrote:
Hi,

I'm seeing a ton of log entries with scheme "UNKNOWN", a garbled HTTP
response code (circa 20 chars long), and not a huge amount of the detail
I'd normally expect - apart from client ip, which appears sensible.

A lot of the requests come from our own monitoring infrastructure, so
there's a decent chance I'll be able to reproduce (though I can't yet).

Does anyone have any suggestions about where I could start looking?

We're using ATS 7.0.0, and seeing this for about 0.5% of log lines on a
few million hits per day.

Log format is: %<chi> %<caun> [%<cqtn>] \"%<cqhm> /%<cqup> %<cqhv>\"
%<cqus> %<{Host}cqh> %<pssc> %<pscl> \"%<{User-Agent}cqh>\" %<crc>
%<psct> %<pqsn> %<ttms> %<cquc>

And an example bogus logline (with IP replaced) is:
0.0.0.0 - [09/Oct/2017:07:22:59 -0000] "- /- HTTP/1.0" UNKNOWN
8242834443987517485 0 "" ERROR_UNKNOWN(7811903955520716845) Z -
7587266184633188397 ��

tia,
Tom
--
Pablo