Apache HTTP Server
Apache HTTP Server is an open-source web server maintained by the Apache Software Foundation. It provides very comprehensive and flexible logging capabilities. See Log Files in the Apache HTTP Server Documentation for detailed logging information. This guide provides an overview of configuring logging and collecting Apache logs with NXLog Agent.
Apache error log
Apache error logging is controlled by the ErrorLog
, ErrorLogFormat
, and LogLevel
directives in the main Apache configuration file, apache2.conf
.
NXLog Agent can parse error log entries with a regular expression.
The following directives enable error logging of all messages at or above the
"informational" severity level, in the specified format, to the specified
file. The ErrorLogFormat
defined below is equivalent to the default, which
includes the timestamp, the module producing the message, the event severity,
the process ID, the thread ID, the client address, and the detailed error
message.
LogLevel info ErrorLogFormat "[%{u}t] [%-m:%l] [pid %P:tid %T] [client %a] %M" ErrorLog /var/log/apache2/error.log
The following is a typical log entry found in the Apache HTTP Server log, an NXLog Agent configuration for parsing it, and the resulting JSON.
[Tue Aug 01 07:17:44.496832 2017] [core:info] [pid 15019:tid 140080326108928] [client 192.168.56.1:60154] AH00128: File does not exist: /var/www/html/notafile.html
<Input apache_error>
Module im_file
File '/var/log/apache2/error.log'
<Exec>
if $raw_event =~ /(?x)^\[\S+\ ([^\]]+)\]\ \[(\S+):(\S+)\]\ \[pid\ (\d+):
tid\ (\d+)\]\ (\[client\ (\S+)\]\ )?(.+)$/
{
$EventTime = parsedate($1);
$ApacheModule = $2;
$ApacheLogLevel = $3;
$ApachePID = $4;
$ApacheTID = $5;
if $7 != '' $ClientAddress = $7;
$Message = $8;
}
</Exec>
</Input>
{
"EventReceivedTime": "2017-08-01T07:17:45.641190+02:00",
"SourceModuleName": "apache_error",
"SourceModuleType": "im_file",
"EventTime": "2017-08-01T07:17:44.496832+02:00",
"ApacheModule": "core",
"ApacheLogLevel": "info",
"ApachePID": "15019",
"ApacheTID": "140080317716224",
"ClientAddress": "192.168.56.1:60026",
"Message": "AH00128: File does not exist: /var/www/html/notafile.html"
}
Apache access log
The Apache access log format and file are configured with the LogFormat
and
CustomLog
directives in the main Apache configuration file, apache2.conf
.
The LogFormat
directive defines a format,
while the CustomLog
directive configures logging to a specified file in one of
the defined formats. Multiple CustomLog
directives can be used to enable
logging to multiple files.
There are several options for handling logging when using virtual hosts.
When specified in the main server context (not in a <VirtualHost>
section),
the examples below will log all requests exactly as with a single-host
server. The %v
format string can be added, if desired, to log the name of the
virtual server responding to the request. Alternatively, the CustomLog
directive can be specified inside a <VirtualHost>
section, in which case
only the requests served by that virtual server will be logged to the file.
Predefined format strings for the Common Log and Combined Log Formats may
be included by default. These predefined formats may use %O (the total
sent including headers) instead of the standard %b (the size of the
requested file) to allow detection of partial requests.
|
The LogFormat
directive below creates a format named common
that corresponds
to the Common Log Format. The second directive configures the Apache HTTP Server
to write entries to the access_log
file in the common
format.
LogFormat "%h %l %u %t \"%r\" %>s %b" common CustomLog /var/log/apache2/access_log common
The following directives will configure the Apache HTTP Server to write entries
to the access_log
file in the Combined Log Format.
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" combined CustomLog /var/log/apache2/access_log combined
See Parse logs in Common and Combined Log Format for NXLog Agent configuration examples for parsing these access log formats.