Topic: Strange http error log entries

[Tom Carroll]

While researching my previous squidguard error I found some interesting log entries.  Strange in the fact that they are logon related in the httpd error log file.

I created a domain account for someone and then logged them into an XP machine.  SME 5.6U4 UDR is the PDC for the domain.  Here are the httpd error log entries:

[Thu Dec 18 10:57:04 2003] [error] [client 192.168.1.76] File does not exist: /home/e-smith/files/primary/html/NETLOGON
[Thu Dec 18 11:43:32 2003] [error] [client 192.168.1.76] File does not exist: /home/e-smith/files/primary/html/jay
[Thu Dec 18 13:07:42 2003] [error] [client 192.168.1.76] File does not exist: /home/e-smith/files/primary/html/jay
[Thu Dec 18 13:10:30 2003] [error] [client 192.168.1.76] File does not exist: /home/e-smith/files/primary/html/jay

Why would login events be logged to the httpd error log?  Now that I have gone through my logs more thoroughly it appears that anything that has been set up as a share is appearing in this log.  Could this be a result of Explorer in WinXP actually being the IE browser?

Very confused...

Tom

[Nick Ramsay]

I see the same thing in mine - I suspect you are correct in surmising that Explorer is responsible.  I have 2 XP machines & a Win2K machine all producing regular entries in my http error logs.

[Mon Dec 15 09:57:36 2003] [error] [client 172.16.1.25] File does not exist: /home/e-smith/files/primary/html/nick
[Mon Dec 15 10:32:26 2003] [error] [client 172.16.1.55] File does not exist: /home/e-smith/files/primary/html/rhiannon
[Mon Dec 15 12:11:17 2003] [error] [client 172.16.1.20] File does not exist: /home/e-smith/files/primary/html/wpad.dat

.. and so on.  The first 2 are XP machines, the third is W2K

Nothing to worry about

[%sig%]

[Tom Carroll]

It sure seems like a waste of space for the logs to be capturing these types of entries.  I wonder if there is a setting or something I can change that would prevent Explorer from trying to access the network shares as web pages...

Since my server is a PDC and web server, does that mean that Explorer is trying to access http://www.carrollweb.net/jay?

I think that would be a security issue, wouldn't it?

Tom

[Nick Ramsay]

I don't think it's trying to access the public facing web server - I suspect that if you manually configure httpd.conf so it doesn't listen on the LAN it would stop these log entries.  This would obviously break a number of things, not least the ability to access the server manager!

It must be some "feature" of IIS - my SME isn't configured as a PDC, it's just a peer-to-peer network share.  If I don't log in to the SME, I don't get the entries.  No doubt it's possible to do a registry tweak to stop Explorer trying to access the user home directory (God knows what it's looking for here), but it's not causing any problems for me so I'm just going to quietly ignore it

[tcarroll]

It has been a while since I visited this issue, but I am still using the SME 5.6UDR+U4 and I would like to know if the latest version of SME is showing these log entries.  If so, is there a way to stop them from being logged?  It sure takes up a lot of log space for a busy PDC with numerous users logging in and out of WinXPP.

Tom