Documentation forLoggly

Cloudflare Logs

Loggly provides the infrastructure to aggregate and normalize log events so they are available to explore interactively, build visualizations, or create threshold-based alerting. In general, any method to send logs from a system or application to an external source can be adapted to send logs to Loggly. The following instructions provide one scenario for sending logs to Loggly.

If you already send logs to Loggly from Apache-managed websites, you can still add Cloudflare to your Apache configuration. If you do not send Apache Logs to Loggly, you can set that up now.

When you add Cloudflare to your Apache configuration, your existing Loggly integration should not be affected. However, if your site uses custom access and error logs, you need to update your rsyslog Apache configuration file and, if desired, install an Apache module for Cloudflare to log visitor IP addresses on the original server.

Update Rsyslog Apache Configuration File

  1. Locate your Apache access and error log, typically stored in /var/log or its sub-directories. Common paths include /var/log/apache/access.log, /var/log/apache2/access.log , or /var/log/httpd/access.log.

    If you cannot find the config log, try running locate access.log access_log

  2. In your /etc/rsyslog.d/21-apache.conf file, update the Apache access and error file paths to the custom log location.

    For example, if your custom location for the Apache log file is located in /var/log/apache2/custom-access.log, in the rsyslog Apache configuration file, change:

    $InputFileName /var/log/apache2/access.log

    to:

    $InputFileName /var/log/apache2/custom-access.log

Log IP Addresses from Original Server

When Cloudflare is used on an Apache server, visitor IP addresses may display with Cloudflare addresses. To resolve this, follow the instructions to install the Apache module for Cloudflare. This module logs IP addresses from the original server instead of logging Cloudflare addresses.

Without that module enabled, the visitor addresses may be skewed, but the other log directives like user agents and data volume do not require any special configuration for the data to display correctly.