Empty /error log lines (a lot of them)

Hi,

I am using NGINX 0.8.54 on Ubuntu 11.04, and I am getting a lot of
weird log entries in nginx access file. The structure is somewhat like
below, but as you can see there is no method, URL, referer, user
agent, etc. And, I see bunch of entries for different IP addresses (3
to 30-40 entries per IP)

It might be a browser issue, but since I am seeing a lot of these, I
just wanted to ask here if anyone has seen this before.

Thanks…

<USER_IP_ADDRESS> - - [07/Oct/2011:17:11:22 +0300] “-” 400 0 “-” “-”
<USER_IP_ADDRESS> - - [07/Oct/2011:17:11:22 +0300] “-” 400 0 “-” “-”
<USER_IP_ADDRESS> - - [07/Oct/2011:17:11:52 +0300] “-” 400 0 “-” “-”
<USER_IP_ADDRESS> - - [07/Oct/2011:17:11:52 +0300] “-” 400 0 “-” “-”
<USER_IP_ADDRESS> - - [07/Oct/2011:17:11:52 +0300] “-” 400 0 “-” “-”
<USER_IP_ADDRESS> - - [07/Oct/2011:17:11:52 +0300] “-” 400 0 “-” “-”
<USER_IP_ADDRESS> - - [07/Oct/2011:17:11:52 +0300] “-” 400 0 “-” “-”
<USER_IP_ADDRESS> - - [07/Oct/2011:17:12:32 +0300] “-” 400 0 “-” “-”
<USER_IP_ADDRESS> - - [07/Oct/2011:17:12:32 +0300] “-” 400 0 “-” “-”
<USER_IP_ADDRESS> - - [07/Oct/2011:17:12:32 +0300] “-” 400 0 “-” “-”
<USER_IP_ADDRESS> - - [07/Oct/2011:17:12:32 +0300] “-” 400 0 “-” “-”
<USER_IP_ADDRESS> - - [07/Oct/2011:17:12:32 +0300] “-” 400 0 “-” “-”
<USER_IP_ADDRESS> - - [07/Oct/2011:17:13:22 +0300] “-” 400 0 “-” “-”
<USER_IP_ADDRESS> - - [07/Oct/2011:17:13:22 +0300] “-” 400 0 “-” “-”
<USER_IP_ADDRESS> - - [07/Oct/2011:17:13:22 +0300] “-” 400 0 “-” “-”
<USER_IP_ADDRESS> - - [07/Oct/2011:17:13:22 +0300] “-” 400 0 “-” “-”
<USER_IP_ADDRESS> - - [07/Oct/2011:17:13:22 +0300] “-” 400 0 “-” “-”
<USER_IP_ADDRESS> - - [07/Oct/2011:17:13:22 +0300] “-” 400 0 “-” “-”
<USER_IP_ADDRESS> - - [07/Oct/2011:17:17:52 +0300] “-” 400 0 “-” “-”
<USER_IP_ADDRESS> - - [07/Oct/2011:17:17:52 +0300] “-” 400 0 “-” “-”
<USER_IP_ADDRESS> - - [07/Oct/2011:17:17:52 +0300] “-” 400 0 “-” “-”
<USER_IP_ADDRESS> - - [07/Oct/2011:17:17:52 +0300] “-” 400 0 “-” “-”
<USER_IP_ADDRESS> - - [07/Oct/2011:17:20:02 +0300] “-” 400 0 “-” “-”
<USER_IP_ADDRESS> - - [07/Oct/2011:17:20:02 +0300] “-” 400 0 “-” “-”
<USER_IP_ADDRESS> - - [07/Oct/2011:17:20:02 +0300] “-” 400 0 “-” “-”
<USER_IP_ADDRESS> - - [07/Oct/2011:17:45:56 +0300] “-” 400 0 “-” “-”
<USER_IP_ADDRESS> - - [07/Oct/2011:17:45:56 +0300] “-” 400 0 “-” “-”
<USER_IP_ADDRESS> - - [07/Oct/2011:17:45:56 +0300] “-” 400 0 “-” “-”
<USER_IP_ADDRESS> - - [07/Oct/2011:17:45:56 +0300] “-” 400 0 “-” “-”
<USER_IP_ADDRESS> - - [07/Oct/2011:17:45:56 +0300] “-” 400 0 “-” “-”
<USER_IP_ADDRESS> - - [07/Oct/2011:17:46:16 +0300] “-” 400 0 “-” “-”
<USER_IP_ADDRESS> - - [07/Oct/2011:17:46:16 +0300] “-” 400 0 “-” “-”
<USER_IP_ADDRESS> - - [07/Oct/2011:17:46:16 +0300] “-” 400 0 “-” “-”
<USER_IP_ADDRESS> - - [07/Oct/2011:17:46:16 +0300] “-” 400 0 “-” “-”
<USER_IP_ADDRESS> - - [07/Oct/2011:17:46:16 +0300] “-” 400 0 “-” “-”
<USER_IP_ADDRESS> - - [07/Oct/2011:17:46:56 +0300] “-” 400 0 “-” “-”
<USER_IP_ADDRESS> - - [07/Oct/2011:17:46:56 +0300] “-” 400 0 “-” “-”
<USER_IP_ADDRESS> - - [07/Oct/2011:17:46:56 +0300] “-” 400 0 “-” “-”
<USER_IP_ADDRESS> - - [07/Oct/2011:17:49:46 +0300] “-” 400 0 “-” “-”

Hello!

On Tue, Jan 03, 2012 at 03:32:36PM +0200, Cabbar D. wrote:

Thanks…

<USER_IP_ADDRESS> - - [07/Oct/2011:17:11:22 +0300] “-” 400 0 “-” “-”

[…]

Such lines appear when client opens a connection and doesn’t send
valid request (e.g. just closes the connection).

Some modern browsers (e.g. Chrome) tend to open several extra
connections “just in case” and close them once they realize they
have no requests to send (and thus they cause such lines to
appear).

Another common reason is health checks from external balancers,
but it’s probably not your case.

Maxim D.

Hi,

I also have a lot of these lines in my logs on all nginx webservers,
they are a result of loadbalancers or nagios/icinga or something that is
checking your webservers port for availability, some kind of half open
connection without a full http request. If there would be any
configuration setting to disable these entries that would be great,
would save I/O and disk space :wink:

Michael

Am 03.01.2012 14:32, schrieb Cabbar D.:

Hi,

Upon further investigation, it turned out to be coming from chrome
browser actually… I could not find why it is doing that (it was not
shown in its network details page nor developer tools), but every once
in a while it is going crazy and sending 4-5 requests at a time. And,
it looked like these were generated from the browser right after a
facebook call. And number of requests varies as well, sometimes it is
just one request, sometimes it is 4 at a time.

BTW, FF is not doing this.

As Michael was saying, this is causing unnecessary I/O, disk space,
etc. And, wish there was a way of disabling this!

Can we at least tell Nginx not to log these? Something like, if there
is no http method / url, skip the log?

Thanks…

This worked great!

Thanks a lot for your help.

On Wed, Jan 4, 2012 at 2:03 AM, Cabbar D. [email protected] wrote:

Hi,

[…snip…]

Can we at least tell Nginx not to log these? Something like, if there
is no http method / url, skip the log?

It’s very likely that there’s no Host header sent, so it’s being
directed
to the server set as “default”.

In my setup i define a server{} section for every real host, and then
add a
separate “catch all” one for everything else and turn off the logs when
not
debugging.
If you are able to do something similar, it should capture those
spurious
connections, direct them to the default host, and not log the lines

#catch all
server {
listen 80 default_server;
server_name localhost.domain.com localhost 127.0.0.1
xx.xx.xx.xx;
#where xx.xx.xx.xx is the local IP
access_log off;
location / {
#local
allow 127.0.0.1;
#office router
allow xx.xx.xx.xx;
#protect
deny all;
}
}

#real server(s)
server {
access_log /var/log/nginx/access.log;
listen 80;
server_name .domain.com; #matches www.domain.com and domain.com
location / {
#[…snip…]
}
}


Will ‘Mit’ Rowe
Stagename*
*1-866-326-3098
[email protected] [email protected]

Twitter: @stagename

The information transmitted is intended only for the person or entity
to
which it is addressed and may contain confidential and/or privileged
material. Any review, retransmission, dissemination or other use of this
information by persons or entities other than the intended recipient is
prohibited. If you received this transmission in error, please contact
the
sender and delete all material contained herein from your computer.