Apache not logging all accesses to the server

[stoveboltgeek]

 

 

We recently moved our site to a new hosting company. Since moving, our traffic stats are about 10% of what they were previously. I've been trying to figure this out for while, but I'm at a loss. I'm hoping some Apache guru can spot the issue.

I ran this command to see who was accessing the server.

# netstat -tn 2>/dev/null | grep :443 | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nr | head
     22 138.201.194.181
     18 156.26.45.19
      8 104.28.85.11
      4 85.237.194.119
      3 167.94.195.128
      2 98.156.0.18
      2 46.161.11.28
      2 193.218.190.123
      2 173.242.192.184
      2 157.55.39.49

Then I greped the logs for the IPs.

grep "138.201.194.101" /var/log/httpd/stovebolt/*

# grep "156.26.45.19" /var/log/httpd/stovebolt/* | wc -l
235

grep -l  "156.26.45.19" /var/log/httpd/stovebolt/* 
/var/log/httpd/stovebolt/ssl_request_log

So, one IP isn't in any logs, even though it has the most connections. The next IP is in the logs, but only in the ssl_request.log, not the access.log. That makes no sense to me at all. I've engaged the support staff at the hosting company but so far they've come up with nothing.

My IP doesn't show up in the logs, and I'm on the site every day doing moderation work, accepting new registrations on the forum, approving posts of new members, etc.

grep -l "70.121.63.82" /var/log/httpd/stovebolt/*
/var/log/httpd/stovebolt/access.log-20220619
/var/log/httpd/stovebolt/error.log-20220619
/var/log/httpd/stovebolt/ssl_access_log
/var/log/httpd/stovebolt/ssl_request_log
/var/log/httpd/stovebolt/ssl_request.log-20220619

grep "70.121.63.82" /var/log/httpd/stovebolt/ssl_access_log 
70.121.63.82 - - [05/Jul/2022:15:19:07 -0400] "-" 408 -
70.121.63.82 - - [05/Jul/2022:15:19:08 -0400] "-" 408 -
70.121.63.82 - - [05/Jul/2022:15:20:20 -0400] "-" 408 -
70.121.63.82 - - [05/Jul/2022:15:20:20 -0400] "-" 408 -

This is my log info.

The server is on EDT, which is where the owners are located. (The server itself is located in CDT.)

 date
Tue Jul  5 15:39:11 EDT 2022

ls /var/log/httpd/stovebolt/
access.log           access.log-20220626  error.log           error.log-20220626  ssl_access_log   ssl_request.log           ssl_request.log-20220626
access.log-20220619  access.log-20220703  error.log-20220619  error.log-20220703  ssl_request_log  ssl_request.log-20220619  ssl_request.log-20220703

# grep -A1 ".log" /etc/httpd/conf.d/stovebolt.conf
	TransferLog  /var/log/httpd/stovebolt/access.log
	ErrorLog /var/log/httpd/stovebolt/error.log
#        LogLevel alert rewrite:trace3
--
        CustomLog "/var/log/httpd/stovebolt/ssl_request.log" \
                  "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

Edited July 5, 2022 by stoveboltgeek
adding more info

[stoveboltgeek]

I should have mentioned that I setup analytics on Plausible the other day. It's on all our forum pages, but only on a handful of others (index, gallery, faq, search, and features), but it's loggine 67% higher hits to our site than what the apache logs are.