I've been asked to log user names that are hitting password-protected areas of
our site. The protection is by htaccess, with multiple users. Servers are Apache.
Looking at the logs, when an attempt is made, a line:
22.214.171.124 - - [01/Apr/1998:13:35:18 +0100] "GET /service/roaming/tknumbers/index.html HTTP/1.0" 401 350
is logged BEFORE the htaccess verification. Then, when the user gives a username
and password, a second line is logged:
126.96.36.199 - keith [01/Apr/1998:13:35:25 +0100] "GET /service/roaming/tknumbers/index.html HTTP/1.0" 401 350
That looks simple - just look for lines with the right GET path and a
BUT, if the user gives an incorrect password, exactly the same things happen. So
we can't distinguish between accepted and rejected attempts!
Does anyone have any suggestions? Mail me please--.