web.apache

The Apache logs are labeled with the  web.apache.type.environment.application.clon tag.

Tag Structure

The elements environmentapplication and clon are free, but mandatory. They can take the value chosen by the user to identify the event source and they must always be used. The name of each of these elements reflects the intended use:

  • environment: the environment where the event occurs (development, testing, production, etc.). The number and name of the environments is not fixed by Devo, since there could be a lot of variation between facilities.
  • application: the web application name.
  • clon: the name of the Apache instance that caused the event. Depending on the customer, it could be a machine name, the virtual name of an Apache process, etc.

For more information on how tags work, check the Introduction to tags article.

The element type is fixed and it identifies the type and format of the sent event. Devo accepts the error and access logs (in 4 different formats), and the ModSecurity module log. This element can take one of the following values: 

  • error
  • mod-security
  • access-clf
  • access-combined
  • access-vhc
  • access-lt 
  • access-lt-xff

The Apache error log has a fixed format that cannot be configured. This log must be sent with the element type set as error.

The ModSecurity module log is also fixed and it must be sent with the element type set as mod-security

The access log is the most versatile log from Apache. The event content, both format and fields, can be controlled in detail. Devo supports 5 access event formats, 3 standard and 2 defined by Devo for users who need more details. Each event is identified with a value for the type element.

  • access-clf for the Common Log Format (CLF) format. The directive to define this (default) format is:

    CLF

    LogFormat "%h %l %u %t \"%r\" %>s %O" common
  • access-combined for the NCSA extended/combined Log Format format. The directive to define this format is: 

    Combined

    LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined
  • access-vhc for the NCSA extended/combined log format with virtual host format. The directive to define this format is:

    Virtual Host Combined

    LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined
  • access-lt for the Devo defined format that adds more details to the standard formats listed above. The directive to define this format is:

    Devo Access

    LogFormat "%{%F:%T%z}t %a %l %u %v:%p \"%r\" \"%U\" \"%{Referer}i\" \"%{User-Agent}i\" \"%{c1}C:%{c2}C\" %>s %X %I %D %B %O" access-lt
    • Where "%{c1}C:%{c2}C:...:$cN}C" is the name of the cookies you want to be reflected in the log. If you don't want to save any cookie just leave the field empty ("")

  • access-lt-xff, same as access-lt format, but oriented to web servers that are behind a balancer or reverse proxy and where the client source IP is from the X-Forwarded-For header. The directive to define this format is:

    Devo Access X-Forwarded-For

    LogFormat "%{%F:%T%z}t %a \"%{X-Forwarded-For}i\" %l %u %v:%p \"%r\" \"%U\" \"%{Referer}i\" \"%{User-Agent}i\" \"%{c1}C:%{c2}C\" %>s %X %I %D %B %O" access-lt-xff

Sending to Devo via files

The standard method is to configure Apache to write the logs to file and rely on another tool (like rsyslog or syslog-ng) to send the events. This configuration requires 3 steps: 

  1. Choose and configure the access log format.
  2. Choose the destination file for the Apache logs to Devo and configure Apache.
  3. Configure the external tool to send files from the previous point with the appropriated tags.

Directive for the destination file

  • The destination for the errors log is specified with ErrorLog. Apache only accepts one destination for this type of events. If this directive is repeated, only the last one is effective. The error logs have a level indicating the error severity. There is a cutoff level, so the events with a severity lower than the cutoff level are not saved to file. By default, this cutoff level is {{warn}, but it it can be changed to LogLevel. We recommend to set it as info.

    Configuration example for the error log

    LogLevel info
    ErrorLog "/var/log/apache/error.log"
  • The destination for the access log is specified with the CustomLog directive. Access events can be sent to multiple destinations, each with a different format. This can be achieved by repeating this directive. This may be interesting if you want to save the access with a local format and send it to Devo with another.

    Configuration example for access log

    LogFormat "%{%F:%T%z}t %a %l %u %v:%p \"%r\" \"%U\" \"%{Referer}i\" \"%{User-Agent}i\" \"%{c1}C:%{c2}C\" %>s %X %I %D %B %O" access-lt
    CustomLog "/var/log/apache/access.log" access-lt

Sending to Devo via process 

The ErrorLog and CustomLog directives can write, not only in a file but in an external process. You only need to set the program name with the necessary arguments preceded by a vertical bar  ("|"). The key to this delivery method is the selection of the external program. We recommend the use of a program able to send through syslog to a local daemon, to a remote relay or even indirectly to Devo.

The simplest way is to use the logger program, usually found on any Unix: 

Forwarding to local syslog

ErrorLog  "|logger -t web.apache.error.env.app.clon1 -n server -P port"
CustomLog "|logger -t web.apache.access-lt.env.app.clon1 -n server -P port" access-lt

Apache and Syslog

Apache is able to send error logs via syslog. We do not recommend using this feature because this sending mechanism does not exist for other logs and the installation won't be uniform. 

Have we answered your question?

If not, please contact our technical support team via email by clicking the button below.

CONTACT US