Apache HTTP Server

Apache HTTP Server is an open-source web server maintained by the Apache Software Foundation. It provides very comprehensive and flexible logging capabilities. See Log Files in the Apache HTTP Server Documentation for detailed logging information. This guide provides an overview of configuring logging and collecting Apache logs with NXLog Agent.

Apache error log

Apache error logging is controlled by the ErrorLog, ErrorLogFormat, and LogLevel directives in the main Apache configuration file, apache2.conf. NXLog Agent can parse error log entries with a regular expression.

Example 1. Using the Apache error log

The following directives enable error logging of all messages at or above the "informational" severity level, in the specified format, to the specified file. The ErrorLogFormat defined below is equivalent to the default, which includes the timestamp, the module producing the message, the event severity, the process ID, the thread ID, the client address, and the detailed error message.

apache2.conf
LogLevel info
ErrorLogFormat "[%{u}t] [%-m:%l] [pid %P:tid %T] [client %a] %M"
ErrorLog /var/log/apache2/error.log

The following is a typical log entry found in the Apache HTTP Server log, an NXLog Agent configuration for parsing it, and the resulting JSON.

Apache log sample
[Tue Aug 01 07:17:44.496832 2017] [core:info] [pid 15019:tid 140080326108928] [client 192.168.56.1:60154] AH00128: File does not exist: /var/www/html/notafile.html
nxlog.conf
<Input apache_error>
    Module  im_file
    File    '/var/log/apache2/error.log'
    <Exec>
        if $raw_event =~ /(?x)^\[\S+\ ([^\]]+)\]\ \[(\S+):(\S+)\]\ \[pid\ (\d+):
                          tid\ (\d+)\]\ (\[client\ (\S+)\]\ )?(.+)$/
        {
            $EventTime = parsedate($1);
            $ApacheModule = $2;
            $ApacheLogLevel = $3;
            $ApachePID = $4;
            $ApacheTID = $5;
            if $7 != '' $ClientAddress = $7;
            $Message = $8;
        }
    </Exec>
</Input>
Output sample
{
  "EventReceivedTime": "2017-08-01T07:17:45.641190+02:00",
  "SourceModuleName": "apache_error",
  "SourceModuleType": "im_file",
  "EventTime": "2017-08-01T07:17:44.496832+02:00",
  "ApacheModule": "core",
  "ApacheLogLevel": "info",
  "ApachePID": "15019",
  "ApacheTID": "140080317716224",
  "ClientAddress": "192.168.56.1:60026",
  "Message": "AH00128: File does not exist: /var/www/html/notafile.html"
}

Apache access log

The Apache access log format and file are configured with the LogFormat and CustomLog directives in the main Apache configuration file, apache2.conf. The LogFormat directive defines a format, while the CustomLog directive configures logging to a specified file in one of the defined formats. Multiple CustomLog directives can be used to enable logging to multiple files.

There are several options for handling logging when using virtual hosts. When specified in the main server context (not in a <VirtualHost> section), the examples below will log all requests exactly as with a single-host server. The %v format string can be added, if desired, to log the name of the virtual server responding to the request. Alternatively, the CustomLog directive can be specified inside a <VirtualHost> section, in which case only the requests served by that virtual server will be logged to the file.

Predefined format strings for the Common Log and Combined Log Formats may be included by default. These predefined formats may use %O (the total sent including headers) instead of the standard %b (the size of the requested file) to allow detection of partial requests.
Example 2. Using the Common Log Format for the Apache access log

The LogFormat directive below creates a format named common that corresponds to the Common Log Format. The second directive configures the Apache HTTP Server to write entries to the access_log file in the common format.

apache2.conf
LogFormat "%h %l %u %t \"%r\" %>s %b" common
CustomLog /var/log/apache2/access_log common
Example 3. Using the Combined Log Format for the Apache access log

The following directives will configure the Apache HTTP Server to write entries to the access_log file in the Combined Log Format.

apache2.conf
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" combined
CustomLog /var/log/apache2/access_log combined

See Parse logs in Common and Combined Log Format for NXLog Agent configuration examples for parsing these access log formats.

Disclaimer

While we endeavor to keep the information in our guides up to date and correct, NXLog makes no representations or warranties of any kind, express or implied about the completeness, accuracy, reliability, suitability, or availability of the content represented here. We update our screenshots and instructions on a best-effort basis.

The accurateness of the content was tested and proved to be working in our lab environment at the time of the last revision with the following software versions:

NXLog Agent version 5.4.7313

Last revision: 2 February 2022