I want to realize a more detailed apache2 server log with the unique ssl_session_id of each user for forensic reasons. I adapted the LogFormat in my apache2.conf but it does not log the session id. using apache 2.2.22 - mod_ssl is enabled.
current LogFormat:
LogFormat "%{%a %m/%d/%Y @ %I:%M:%S.}t%{msec_frac}t %{%p %Z}t %h \"%{SSL_SESSION_ID}e\" (%{X-Forwarded-For}i) > %v:%p \"%r\" %I %D %>s %b %k \"%{Referer}i\" \"%{User-Agent}i\" %u %{User}C %{SessionTracker}C" forensic
also tried:
LogFormat "%{%a %m/%d/%Y @ %I:%M:%S.}t%{msec_frac}t %{%p %Z}t %h \"%{SSL_SESSION_ID}x\" (%{X-Forwarded-For}i) > %v:%p \"%r\" %I %D %>s %b %k \"%{Referer}i\" \"%{User-Agent}i\" %u %{User}C %{SessionTracker}C" forensic
A log line looks like:
Fri 05/20/2016 @ 09:40:33.msec_frac AM CEST 0.0.0.0 "-" (-) > example.com:443 "GET /path/to/the/file.svg HTTP/1.1" 837 440 304 - 35 "-" "Mozilla/5.0 (Windows NT 6.3; WOW64; rv:48.0) Gecko/20100101 Firefox/48.0" - - -
(IP addr, URL, ref have been adapted)
How can i retrieve the ssl_session_id. Is there any other way to gather (any other) unique client-information for forensic analysis?
well it seemend that apache v.2.2.22 wasn't able to deactivate ssl_ticket_session. So i had to do this manually to be able to log the ssl_ID which wasn't part of the client_header each time if you had the ticket_session activated. with the ticket_session deactivated the client had to "handshake" each time.