Documentation forLoggly

Apache Logs

Loggly provides the infrastructure to aggregate and normalize log events so they are available to explore interactively, build visualizations, or create threshold-based alerting. In general, any method to send logs from a system or application to an external source can be adapted to send logs to Loggly. The following instructions provide one scenario for sending logs to Loggly.

The Apache HTTP server logs its access and error logs to files by default. Syslog daemons such as rsyslog can monitor these files and send them to Loggly. This guide assumes you use rsyslog 5.8 or higher, TCP over port 514, the standard Apache logs directory for Ubuntu, and the default Apache logging format. This script has been tested with Apache version 2.4.7. For alternatives, see Advanced Options.

Automatic Configuration

1. Run the Configure Apache Script

Run the automatic configure-apache script below to set up Apache logging and send the logs to Loggly through your syslog daemon. Alternatively, you can follow our Manual Configuration instructions below.

curl -O https://www.loggly.com/install/configure-apache.sh
sudo bash configure-apache.sh -a SUBDOMAIN -u USERNAME

In the script, replace:

  • SUBDOMAIN with your account subdomain, which you created when you signed up for Loggly
  • USERNAME with your Loggly username, which is visible at the top right of the Loggly console

Enter your system root password so it can update your rsyslog configuration. You are then prompted for your Loggly password.

2. Verify Events

Search Loggly for events with the apache tag over the past hour. It may take a few minutes to index the event. If it doesn’t work, see Troubleshooting.

tag:apache

Click one of the logs to show a list of Apache fields (see screenshot below). If you don’t see them, check that you are using one of the automatically parsed formats.

Apache logs in Loggly

3. Use Your Logs

Get value from your logs by solving problems and proactively preventing them.

Manual Configuration

1. Configure Syslog Daemon

If you haven’t already, run the automatic Configure-Syslog script below to setup rsyslog. Alternatively, you can manually configure Rsyslog or Syslog-ng.

curl -O https://www.loggly.com/install/configure-linux.sh
sudo bash configure-linux.sh -a SUBDOMAIN -u USERNAME
In the code, replace:
  • SUBDOMAIN with your account subdomain, which you created when you signed up for Loggly
  • USERNAME with your Loggly username, which is visible at the top right of the Loggly console

2. Setup Apache File Monitoring

Copy this to your terminal window and run it. The codes ensures the working directory exists. If you are using an Ubuntu system, the code sets the proper permissions. It then opens an Apache configuration file.

sudo mkdir -v /var/spool/rsyslog
if [ "$(lsb_release -ds | grep Ubuntu)" != "" ]; then
  sudo chown -R syslog:adm /var/spool/rsyslog
fi
sudo vim /etc/rsyslog.d/21-apache.conf

Copy in the additional configuration below to add file monitoring for Apache access and error logs.

$ModLoad imfile
$InputFilePollInterval 10 
$PrivDropToGroup adm
$WorkDirectory /var/spool/rsyslog
# Apache access file:
$InputFileName /var/log/apache2/access.log
$InputFileTag apache-access:
$InputFileStateFile stat-apache-access
$InputFileSeverity info
$InputFilePersistStateInterval 20000
$InputRunFileMonitor
#Apache Error file: 
$InputFileName /var/log/apache2/error.log
$InputFileTag apache-error:
$InputFileStateFile stat-apache-error
$InputFileSeverity error
$InputFilePersistStateInterval 20000
$InputRunFileMonitor
#Add a tag for apache events
$template LogglyFormatApache,"<%pri%>%protocol-version% %timestamp:::date-rfc3339% %HOSTNAME% %app-name% %procid% %msgid% [TOKEN@41058 tag=\"apache\"] %msg%\n"
if $programname == 'apache-access' then @@logs-01.loggly.com:514;LogglyFormatApache
if $programname == 'apache-access' then ~
if $programname == 'apache-error' then @@logs-01.loggly.com:514;LogglyFormatApache
if $programname == 'apache-error' then ~
In the code, replace:
  • TOKEN with your customer token from the source setup page
  • InputFileName.
    The example is designed for Debian-based systems like Ubuntu.
    For Redhat and CentOS, change to /var/log/httpd/access_log and /var/log/httpd/error_log.
    Use your custom log file location if you use a non-standard one.

Restart rsyslogd
$ sudo service rsyslog restart

3. Verify Events

Search Loggly for events with the Apache tag over the past hour. It may take a few minutes to index the event. If it doesn’t work, see Troubleshooting.

tag:apache

Click on one of the logs to show a list of Apache fields (see screenshot below). If you don’t see them, check that you are using one of the automatically parsed formats.

Apache logs in Loggly

4. Use Your Logs

Get value from your logs by solving problems and proactively preventing them.

Advanced Apache Logs Options

  • Apache Automated Parsing – shows a list of Apache formats that we parse automatically
  • Apache Virtualhost Support – You can create virtual hosts in your local apache server by creating the following configurations and for each host you can create the logs in apache access and error files.
    <VirtualHost *:80>
      ServerAdmin admin@localhost
      ServerName example.com
      ServerAlias www.example.com
      DocumentRoot /var/www/example.com/public_html
      ErrorLog ${APACHE_LOG_DIR}/error.log
      CustomLog ${APACHE_LOG_DIR}/access.log combined
    </VirtualHost>
  • Logging in JSON – us to parse non-standard apache formats
  • Script Source on GitHub – View the source or suggest improvements
  • Log Rotation – if you use log rotation, you must add commands to refresh the files
  • Check out our internal documents on best practices for Apache logging, analyzing Apache logs, and monitoring Apache logs.
  • Search or post your own Apache server logs or access logs questions in the community forum or check out our Apache log analyzer post.

Apache Logs Troubleshooting

If you don’t see any data show up in the verification step, check for these common problems.

Check Apache:

  • Wait a few minutes in case indexing needs to catch up.
  • Make sure you replaced your customer token in the configuration file.
  • Check the apache log files to make sure they exist and you have the right path and permissions.
  • Try sending a test log with an apache tag: logger -t apache-access test.

Check Your Syslog Daemon:

SELinux Error:

  • Sample Error Messages:
    ERROR: selinux status is 'Enforcing'. Please manually restart the rsyslog daemon or turn off selinux by running 'setenforce 0' and then rerun the script. 

    If you see this error, disable the SELinux by setting it to permissive mode using the command:

    sudo setenforce 0 

Still Not Working?

The scripts are not supported under any SolarWinds support program or service. The scripts are provided AS IS without warranty of any kind. SolarWinds further disclaims all warranties including, without limitation, any implied warranties of merchantability or of fitness for a particular purpose. The risk arising out of the use or performance of the scripts and documentation stays with you. In no event shall SolarWinds or anyone else involved in the creation, production, or delivery of the scripts be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the scripts or documentation.