Apache web server Architecture in Forensic Investigation in this the apache web server comprises of a modular approach. It consists of two major components, the Apache Core and the Apache Modules. The Apache Core deals with basic functionalities of the server, such as allocating the requests, maintaining and pooling the connections, etc., while the Apache Modules, which are simply add-ores (used for extending the core functionality of the server), looks after other functions, such as getting user ID from the HTTP request and validating the user, authorizing the user, etc. The Apache core consists of several components which have particular activities to perform. The elements of the Apache core are http_protocol, http_main, http_request, http core, alloc, and http_config.
- http_protocol: This element is responsible for managing the routines, which interacts with the client and takes care of all the data exchange and socket connections between the client and the server.
- http_main: This element handles the server startups and timeouts. It also consists of the main server loop that waits for the connections and accepts them.
- http_request: This element controls the step by step procedure involved between the modules to complete a client request and is also responsible for error handling.
- http_core: This element is hardly functional enough to serve documents.
- c: This element handles allocation of resource pools.
- http_config: This element is responsible for reading and handling of the configuration files. One of the main tasks of http config is that it arranges all the modules, which the server will call during various phases of the request handling.
The second important component of the Apache web server Architecture in Forensic Investigation is the Apache Modules. As discussed, the architecture of the Apache web server has several modules that connect to the Apache core and assists the requests processed by the core. In order to change the Apache server’s functionality, the developers may write new modules, which meet the desired purpose. According to the requirement of the request, the particular modules will be called. The modules implement the desired functionality and forward the output back to the core and the core assembles the output using the HTTP_REQUEST component of the Apache Core in order to send it to another module for processing or sends it back to the client. The modules are made up of handlers, which denote the particular functions to be performed by the module. The modules create specific handlers whenever a request is processed.
Related Product : Computer Hacking Forensic Investigator | CHFI
Apache Web Server Logs
Apache HTTP Server
Apache imp Server is a web server that was originally developed for Unix/Linux operating systems; however, currently this can work under different operating systems like Mac, Windows, etc. It performs various functions (since it is a multi-threaded web server) requested by the client web browsers and can implement multiple tasks simultaneously. The Apache HTTP Server utilizes modules and extensions to support various environments.
Apache Log Information
Apache logs provide very important information during auditing and forensic investigations about all the operations performed on the web server. This information includes client IP address, identd of the client machine, time, client user ID, Request line from a client, Status code, and Size of the object returned to the client. All the information provided by the logs can lead the investigator to the attacker.
Common Apache Log Format
%h %l %u %t \”%r\” %>s %b is the common percent directive log format. where:
- %h represents the client’s IP address.
- %l represents the Remote log name. This will return a dash unless mod_ident is present and IdentityCheck is set on.
- %u is the client user ID.
- %t represents the time when the server received the request. It is displayed in the format [day/month/year:hour:minute:second zone].
- \”%rr indicates the methods used for a request-response between a client and server, the resource requested by a client (apache_pb.gif), and the protocol used (HTTP/1.0).
- %>s represents the status code which the server sends back to the client.
- %b represents the size of the object which the server sends to the client.
Also Read : Understand IIS Web Server Architecture in Forensic Investigation
Investigating Apache Logs
The Apache server consists of two logs:
1. Error Log
The Apache Error Log is the location where the server records all the errors that occurred during the client request processing. The ErrorLog directive sets the location of the error log. The log file contains data pertaining to the issues in the server’s startup and operation. It also stores information related to the reason behind the issue and the steps involved in resolving it. The investigators need to use Linux applications like grep, cat, gedit or vi to read these log files.
2. Access Log
Requests processed by the Apache server are contained in the access log. It has a record of every request that goes through the server. The LogFormat directive helps in selecting the required log contents. The CustomLog directive sets the location and content of the Access Cog. The CustomLog directive also has the information to configure the server in such a way that the server can maintain access log records. The access logs are stored in the Common Log format by default and are highly configurable.
Apache Access Log/Common Log Format Example:
10.10.10.10 – jason [17/Ang/2016:00:12:34 +0300] “GET /images/content/bg_body_1.jpq HTTP/1.0” 500 1458
A percent directive represents each field in the log. These percent directives enable the server to understand what information it has to log.
Let us map the percent directives with the actual log format.
- 10.10.10.10 (%h):IP Address of the client /remote host
- -(%I): The requested information is not available
- jason (%u) User ID of the person who sent the request
- [17/Aug/2016: 00: 12 34 +0300] (%t): The time at which the server finished processing the request. +03 UT C represents East Africa Time Zone.
- “GET /images/content/bg_ body_1. jpg HTTP/1. 0” (\ “%r\”): The client used GET
request method, and he/she requested the resource /images/content/bg_body_1.jpg. The client used HTTP/1.0 protocol. - 200 (%>s): The status code represents that the response was successful
- 1458 (%b): The server returned the object of size 1458 bytes to the client
Apache Error Log example:
[Mon Sep 16 14:25:33.812856 2016] [core:error] [pid 12485:tid 8589745621] [client 10.10.255.14] File does not exist: /images/content/bg_body_1.jpg
Anatomy of the Log:
Mon Sep 16 14:25:33.812856 2016 :
This is the first element in the log entry. It contains the timestamp (day, month, date, time, and year) of the log.
core:error :
The second element in the log describes the module producing the message. In this case, the Apache core is producing the message describing the security level (error).
pid 12485:tid 8589745621 :
The next element in the log contains the process ID and its corresponding thread ID.. client 10.10.255.14
The fourth element in the log is the client address that made the request. File does not exist: /images/content/bg_body_1.jpg
The final element in the log displays the status of the file, which the client has requested. In this case, the file does not exist. So, it displayed an error message stating the file does not exist on the server.
Questions related to this topic
- How do I find the server error log?
- How do I find the Apache error log?
- What is Apache error log?
- What are some of the logs maintained by Apache?
- What is Apache web server Architecture in Forensic Investigation?
This Blog Article is posted by
Infosavvy, 2nd Floor, Sai Niketan, Chandavalkar Road Opp. Gora Gandhi Hotel, Above Jumbo King, beside Speakwell Institute, Borivali West, Mumbai, Maharashtra 400092
Contact us – www.info-savvy.com
