Hi, I've been using ISPConfig2 for about 2.5 years now and it has suited my needs very well. It has been serving mail and web for several domains I operate without a problem for that time. A few weeks ago I made a number of changes to my network and today I noticed that there are a large number of new folders inside my web root which take the form of a line within the ISPConfig log. From what I can tell with my rudimentary PHP skills, the "/root/ispconfig/scripts/shell/logs.php" script is parsing the log lines incorrectly and creating new folders as a result. Here is an example of my /var/www/ directory ( i have replaced the domain names with #site1#, #site2# etc): Code: drwxr-xr-x 3 root root 4.0K 2011-02-09 00:30 - #SITE2# - [08 drwxr-xr-x 3 root root 4.0K 2011-02-09 00:30 74.52.245.146 #SITE2# - [08 drwxr-xr-x 3 root root 4.0K 2011-02-09 00:30 121.45.241.95 #SITE2# - [08 drwxr-xr-x 3 root root 4.0K 2011-02-09 00:30 114.108.226.61 #SITE2# - [08 drwxr-xr-x 3 root root 4.0K 2011-02-10 00:30 72.94.249.38 #SITE2# - [09 drwxr-xr-x 3 root root 4.0K 2011-02-10 00:30 66.249.67.101 localhost - [09 drwxr-xr-x 3 root root 4.0K 2011-02-10 00:30 222.127.223.74 #SITE2# - [09 drwxr-xr-x 3 root root 4.0K 2011-02-12 00:30 95.108.154.252 #SITE2# - [11 drwxr-xr-x 3 root root 4.0K 2011-02-13 00:30 69.58.178.57 #SITE3# - [12 drwxr-xr-x 3 root root 4.0K 2011-02-13 00:30 222.130.187.172 #SITE3# - [12 drwxr-xr-x 3 root root 4.0K 2011-02-13 00:30 203.206.80.20 #SITE3# - [12 drwxr-xr-x 3 root root 4.0K 2011-02-14 00:30 - #SITE1# - [13 drwxr-xr-x 3 root root 4.0K 2011-02-14 00:30 66.249.67.101 localhost - [13 drwxr-xr-x 3 root root 4.0K 2011-02-16 00:30 74.52.245.146 localhost - [15 drwxr-xr-x 3 root root 4.0K 2011-02-16 00:30 66.249.68.100 #SITE2# - [15 drwxr-xr-x 3 root root 4.0K 2011-02-17 00:30 66.249.68.51 localhost - [16 drwxr-xr-x 3 root root 4.0K 2011-02-19 00:30 - #SITE2# - [18 drwxr-xr-x 3 root root 4.0K 2011-02-19 00:30 49.192.11.41 #SITE2# - [18 drwxr-xr-x 3 root root 4.0K 2011-02-19 00:30 209.222.0.203 #SITE3# - [18 drwxr-xr-x 3 root root 4.0K 2011-02-19 00:30 203.82.208.13 #SITE2# - [18 drwxr-xr-x 3 root root 4.0K 2011-02-19 00:30 184.72.7.141 #SITE2# - [18 drwxr-xr-x 3 root root 4.0K 2011-02-19 00:30 10.212.24.37, 192.148.117.85 #SITE2# - [18 drwxr-xr-x 3 root root 4.0K 2011-02-19 00:30 10.212.24.37, 192.148.117.83 #SITE2# - [18 drwxr-xr-x 3 root root 4.0K 2011-02-19 00:30 10.212.24.37, 192.148.117.81 #SITE2# - [18 drwxr-xr-x 3 root root 4.0K 2011-02-19 00:30 10.212.24.37, 192.148.117.79 #SITE2# - [18 drwxr-xr-x 3 root root 4.0K 2011-02-20 00:30 66.249.68.100 #SITE2# - [19 As you can probably tell, the directory names take the form of the Apache log line and a new subdirectory is created where a forward slash appears in the line (such as in the date and the HTTP GET request). At the bottom of the tree is a "web.log" file which would normally be found under the ISPConfig site directory tree. Around that time, the changes I made to my system were: 1) upgraded (apt dist-upgrade within same ubuntu 8.04 version) so many 'held back' packages were updated; and 2) installed a squid reverse proxy on another machine which determines which requests go to which machines as there are other servers within my network hosting other domains outside the scope of my ISPConfig install. I did a search of the forums here and didn't see any references to upgrades causing this problem, so I have assumed that my squid server is sending requests over which seem to be causing problems for the ISPConfig log parser. The odd thing is that the ISPConfig HTTPD logs seem to be working as normal, where the standard loglines appear as: Code: 203.82.208.13 #SITE2# - [20/Feb/2011:17:37:29 +0800] "GET /DC/ HTTP/1.0" 200 55569 "-""Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13 ( .NET CLR 3.5.30729; .NET4.0E)" ... where "#SITE2#" is the domain name. The log lines do seem to drop the IP address if it is from within my local network (shown only as "-" and this is also visible in the directories created in webroot), but I believe that to be a symptom of another part of my setup, and I can live with this. It appears to me that the problem is coming from the following function in the "/root/ispconfig/scripts/shell/logs.php" file: Code: function get_filename($virtual_host) { global $webroot, $jahr, $monat, $mod; if(!is_dir("$webroot/$virtual_host/log/$jahr/$monat")) $mod->file->mkdirs("$webroot/$virtual_host/log/$jahr/$monat"); return "$webroot/$virtual_host/log/$jahr/$monat/web.log"; It has also just occurred to me that it may have something to do with a couple of custom log lines I placed in the "/etc/apache2/apache.conf" file. I suspect I obtained and modified them based on a squid tutorial, but my memory is not clear on it: Code: LogFormat "%{X-Forwarded-For}i %v %u %t \"%r\" %>s %b \"%{Referer}i\"\"%{User-Agent}i\"" cached CustomLog "|/root/ispconfig/cronolog --symlink=/var/log/httpd/ispconfig_access_log /var/log/httpd/ispconfig_access_log_%Y_%m_%d" cached I would very much appreciate any suggestions as to how I can fix this bizarre problem. Although my personal sites are low volume, the number of directory entries are adding up and I'm not sure if there are other problems as well. Thanks Skinner
Thats the most likely reason for your problem. The correct log lines for a ispconfig server are: Code: LogFormat "%v||||%b||||%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined_ispconfig CustomLog "|/root/ispconfig/cronolog --symlink=/var/log/httpd/ispconfig_access_log /var/log/httpd/ispconfig_access_log_%Y_%m_%d" combined_ispconfig The loglines that you used are not compatioble with ispconfig and can not be splitted correctly.
Ah yes, that should have been obvious looking at the ISPConfig log format. I have changed it back and just added another log to get the info i want. Thanks.
Just confirming for any future readers that this fixed my problem and as as of the latest cron execution of "/root/ispconfig/scripts/shell/logs.php" no new directories were created. Thanks again Sk
