10.16 Do not resolve hosts on logging valves

Information

Setting enableLookups to true on Connector will result in a DNS look-ups to obtain the host name of the remote client before logging any information. This uses additional resources when logging.

Rationale:

Allowing enableLookups adds additional overhead to resolve the host name of a remote client which is rarely needed.

Solution

In Connector elements, set the enableLookups attribute to false or remove it.

<Connector ... enableLookups='false' />

Default Value:

By default, DNS lookups are disabled.

References:

https://tomcat.apache.org/tomcat-8.0-doc/config/valve.html

https://tomcat.apache.org/tomcat-8.0-doc/config/http.html

See Also

https://workbench.cisecurity.org/files/2506

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6, CSCv7|5.1

Plugin: Unix

Control ID: d85fc722b9a0dc9d098a001c87b346a5c819267109842ca731c3b3dc7909eff7