Comment by kazinator

I believe Apache is logging complete requests. For instance, in the case of clients sent to a honeypot, I see a log entry appear when I pick a honeypot script from the process listing and kill it. That could be hours after the client connected. The timestamps logged are connection time not completion time. E.g. here is a pair of consecutive logs:

  124.243.178.242 - - [29/Apr/2025:00:16:52 -0700] "GET /cgit/[...]
  94.74.94.113 - - [29/Apr/2025:00:07:01 -0700] "GET /honeypot/[...]

Notice the second timestamp is almost ten minutes earlier.