1

We recently upgraded our tomcat server to v9 and it started throwing exceptions for receiving HTTP requests with the following data

1.1.1.1 - - [30/Jun/2020:04:55:31 +0000] "-" 400 1921

Which is nothing alike the usual...

1.1.1.1 - - [30/Jun/2020:04:55:31 +0000] "GET / HTTP/1.1" 404 533

It seems our client is still adopting HTTP v1.1 but would that has to do with the "-" tomcat is complaining about? And what is "-" supposed to stand for?

Muhammad Gelbana
  • 3,890
  • 3
  • 43
  • 81

2 Answers2

0

- in this log format generally means that a value is missing.

A missing HTTP method and HTTP/1.1 request line, with a 400 Bad Request result suggests to me that something is opening a TCP connection and sending something that's not HTTP at all.

Evert
  • 93,428
  • 18
  • 118
  • 189
  • It seems so to me too. Do you know what could possibly send such a request? – Muhammad Gelbana Jul 05 '20 at 20:53
  • 1
    If the request is from an ip address you know, i would try to run `netstat` or `tcpdump` or `tshark` to try and find out what is opening that connection and what they are sending. – Evert Jul 05 '20 at 20:58
0

See Apache Log Files server documentation and Apache Core Features (ErrorLogFormat Directive). I assume the Java implementation of Apache in Tomcat uses roughly the same syntax.

A - (minus) modifier causes a minus to be logged if the respective item in the log entry codes does not produce any output, as Evert said above.

Your normal log entry:

1.1.1.1 - - [30/Jun/2020:04:55:31 +0000] "GET / HTTP/1.1" 404 533

appears to be using Common Log Format (CLF), i.e.,

LogFormat "%h %l %u %t \"%r\" %>s %b" common

Where the first entry is the IP address of the client (remote host) which made the request to the server. The two minus signs probably represent missing identity and user ID (see the Logs document cited). The next field is obviously date and time. The next field, quoted, is the request line from the client: First, the method used by the client is GET. Second, the client requested the public document root "/", and third, the client used the protocol HTTP/1.0. Your server returned status code 404 to the client and the size of the object returned to the client, not including the response headers, was 533 bytes.

Now, your unusual log entry,

1.1.1.1 - - [30/Jun/2020:04:55:31 +0000] "-" 400 1921

is missing the request line from the client, so a minus sign is entered there. As to what could possibly send such a request, if you are connected to the internet it could be some robot probing your server. You can reverse identify IP address easily with cqcounter whois, e.g., "1.1.1.1" appears to be some Australian outfit APNIC Research and Development, probably benign.

Dalton Bentley
  • 147
  • 8