Apache Logs
The Apache HTTP server logs it’s access and error logs to files by default. Syslog daemons such as rsyslog can monitor these files and send them to Loggly. This guide assumes you use rsyslog 5.8 or higher, TCP over port 514, the standard Apache logs directory for Ubuntu, and the default Apache logging format. This script has been tested with Apache version 2.4.7. For alternatives, please see the Advanced Options section.
Automatic Apache Script
1. Run The Configure Apache Script
Run our automatic configure-apache script below to setup Apache logging and send the logs to Loggly through your syslog daemon. Alternatively, you can follow our manual configuration instructions below.
curl -O http://www.kaihua.site/install/configure-apache.sh sudo bash configure-apache.sh -a SUBDOMAIN -u USERNAME
Replace:
- SUBDOMAIN: your account subdomain that you created when you signed up for Loggly
- USERNAME: your Loggly username, which is visible at the top right of the Loggly console
You will need to enter your system root password so it can update your rsyslog configuration. It will then prompt for your Loggly password.
2. Verify Events
Search Loggly for events with the apache tag over the past hour. It may take a few minutes to index the event. If it doesn’t work, see the troubleshooting section below.
tag:apache
Click on one of the logs to show a list of Apache fields (see screenshot below). If you don’t see them, please check that you are using one of our automatically parsed formats.
3. Use Your Logs
Get value from your logs by solving problems and proactively preventing them.
- Troubleshoot Apache Problems – Find the root cause of Apache errors or unusual traffic patterns
- Apache Alerts and Dashboards – Monitor for Apache errors and slow response time
Manual Configuration
1. Configure Syslog Daemon
If you haven’t already, run our automatic Configure-Syslog script below to setup rsyslog. Alternatively, you can manually configure Rsyslog or Syslog-ng.
curl -O http://www.kaihua.site/install/configure-linux.sh sudo bash configure-linux.sh -a SUBDOMAIN -u USERNAME
Replace:
- SUBDOMAIN: your account subdomain that you created when you signed up for Loggly
- USERNAME: your Loggly username, which is visible at the top right of the Loggly console
2. Setup Apache File Monitoring
Copy this to your terminal window and run it. It will make sure the working directory exists. If it’s an Ubuntu system, it will set the proper permissions. It will then open an Apache configuration file.
sudo mkdir -v /var/spool/rsyslog if [ "$(lsb_release -ds | grep Ubuntu)" != "" ]; then sudo chown -R syslog:adm /var/spool/rsyslog fi sudo vim /etc/rsyslog.d/21-apache.conf
Copy in the additional configuration below to add file monitoring for Apache access and error logs.
$ModLoad imfile $InputFilePollInterval 10 $PrivDropToGroup adm $WorkDirectory /var/spool/rsyslog # Apache access file: $InputFileName /var/log/apache2/access.log $InputFileTag apache-access: $InputFileStateFile stat-apache-access $InputFileSeverity info $InputFilePersistStateInterval 20000 $InputRunFileMonitor #Apache Error file: $InputFileName /var/log/apache2/error.log $InputFileTag apache-error: $InputFileStateFile stat-apache-error $InputFileSeverity error $InputFilePersistStateInterval 20000 $InputRunFileMonitor #Add a tag for apache events $template LogglyFormatApache,"<%pri%>%protocol-version% %timestamp:::date-rfc3339% %HOSTNAME% %app-name% %procid% %msgid% [TOKEN@41058 tag=\"apache\"] %msg%\n" if $programname == 'apache-access' then @@logs-01.loggly.com:514;LogglyFormatApache if $programname == 'apache-access' then ~ if $programname == 'apache-error' then @@logs-01.loggly.com:514;LogglyFormatApache if $programname == 'apache-error' then ~
Replace:
- TOKEN: your customer token from the source setup page
- InputFileName: The example is designed for Debian-based systems like Ubuntu. For Redhat and CentOS, change to /var/log/httpd/access_log and /var/log/httpd/error_log. Use your custom log file location if you use a non-standard one.
Restart rsyslogd
$ sudo service rsyslog restart
3. Verify Events
Search Loggly for events with the Apache tag over the past hour. It may take a few minutes to index the event. If it doesn’t work, see the troubleshooting section below.
tag:apache
Click on one of the logs to show a list of Apache fields (see screenshot below). If you don’t see them, please check that you are using one of our automatically parsed formats.
4. Use Your Logs
Get value from your logs by solving problems and proactively preventing them.
- Troubleshoot Apache Problems – Find the root cause of Apache errors or unusual traffic patterns
- Apache Alerts and Dashboards – Monitor for Apache errors and slow response time
Advanced Apache Logs Options
- Apache Automated Parsing – shows a list of Apache formats that we parse automatically
- Apache Virtualhost Support – You can create virtual hosts in your local apache server by creating following configurations and for each host you can create the logs in apache access and error files.
<VirtualHost *:80> ServerAdmin admin@localhost ServerName example.com ServerAlias www.example.com DocumentRoot /var/www/example.com/public_html ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined </VirtualHost> - Logging in JSON – us to parse non-standard apache formats
- Forwarding Directly Over Syslog – can offer greater speed for error events
- Scrubbing or Filtering Apache Logs – to remove personally identifying information like IP addresses or reduce overall volume
- Script Source on GitHub – View the source or suggest improvements
- Log Rotation – if you use log rotation, you must add commands to refresh the files
- Check out our internal documents on best practices for Apache logging, analyzing Apache logs, and monitoring Apache logs.
- Search or post your own Apache server logs or access logs questions in the community forum or check out our Apache log analyzer post.
Apache Logs Troubleshooting
If you don’t see any data show up in the verification step, then check for these common problems.
Check Apache:
- Wait a few minutes in case indexing needs to catch up
- Make sure you replaced your customer token in the configuration file
- Check the apache log files to make sure they exist and you have the right path and permissions
- Try sending a test log with an apache tag: logger -t apache-access test
Check Your Syslog Daemon:
SELinux Error:
- Sample Error Messages:
ERROR: selinux status is 'Enforcing'. Please manually restart the rsyslog daemon or turn off selinux by running 'setenforce 0' and then rerun the script.
If you see this error then you will need to disable the SELinux by setting it to permissive mode using the below command:
sudo setenforce 0
Still Not Working?
- Search or post your own questions on log files, error logs, log rotation, Apache log format, and more in the community forum.