ok, thanks. i read up on activating valves within server.xml....activating the logging valve produces...
which is already happening. I'm not sure if it is via default (Tomcat 9). I might have gone down this road before and activated the valve when I installed, I can't remember.
Anyway, I now understand the difference/purpose between
So if I try to "line up" the weird error times in catalina with the IP and request times in localhost_access, they almost
align. All requests are coming from that same IP referenced earlier. So they seem to point to that internal vulnerability software.
1. There are a bunch invalid message received errors logged in catalina between 2:23 and 2:28. However, localhost starts logging GETS between 2:26 and 2:43.
2. Another set form the same IP appears oin both logs at 2:56, those seem to synch almost perfectly.
Since all this junk happens wihtin the same half hour every day, I'm sure it's the same internal source. However, could those time differences be normal, attributable to,I don't know, processing times within Tomcat and network? thank you.