October 31, 2022
Logging is an important part of the Apache web server. All successful client requests are logged in the Apache access log, and all error events are logged in the Apache error log. These logs play a pivotal role when troubleshooting web application issues.
In this guide—part one of two in our series on Apache logging—we’ll learn about Apache web server logging and how to configure it. We’ll also cover the different log levels and formats, log rotation, and how to configure the logs for virtual hosts.
There are mainly two types of Apache web server logs: the access logs and the error logs.
Access logs contain information about client requests processed by the web server. Information in each log entry includes:
The following snippet shows a sample access log:
Error logs contain information about any internal errors encountered when the Apache web server starts or runs, as well as errors raised when processing a client request. The following is a typical example of an error log entry:
The location of log files for the Apache web server can vary based on the operating system. For example, the default location on a CentOS/RedHat system is the
/var/log/httpd directory, whereas in an Ubuntu system, the location is typically
You can change the default log location by setting certain parameters in the Apache configuration file. For example, to change the error log location on a CentOS system, you can edit the
/etc/httpd/conf/httpd.conffile and set the
ErrorLog directive like this:
When you change the log location, you need to make sure the new directory exists on the server and the Apache process user has the permissions to read from and write to that directory. The changes take effect once you restart the Apache web service.
Similarly, you can change the access log location by setting the
The log level configuration dictates the type of messages logged in the error log. You can set this value to any of the following values:
A value between
trace8 (highest level)
The lower the log level, the more verbose log entries are. The
warn level is the default log level setting, but you can change it by setting the
LogLevel directive in the Apache configuration file to a different value.
Let’s see how changing the log level affects the verbosity. The following entries are recorded when the
LogLevel is set to
After changing the
info, we restart Apache and clear the old log entries. The resulting error log looks like this:
As you can see, the error log now has some entries of type
http2:infowhich were not there before. That’s because the server is now also logging the
info type messages.
By default, the Apache web server access log uses a
combined log format. You can see the field definition for the log format from the Apache configuration file (
apache2.conf). The following snippet, for example, shows the
LogFormat directive in a CentOS server:
common log format is defined as:
As you can see, the
combined log format is similar to the
common log format, except it has two extra fields:
% symbol precedes the field names. Some of the important fields in the access log are:
Using these basic field definitions, you can easily identify the key information from the access log. Let’s consider the access log snippet below.
You can see the first entry shows the client IP address is
126.96.36.199.. The client was using the Safari browser running on Mac OS X. The HTTP request method was
GET, and the web server responded with a status code of
403 (forbidden). In other words, it refused the client’s request. The total number of bytes transferred to the client was 199691.
You can also change the log format by specifying the value of the
CustomLog directive in the Apache configuration file. In the snippet below, we change the log format to
After setting the
CustomLog directive and restarting the Apache web server, you can see the access log now contains some important fields like timestamp, level of the message, process id, and a message:
If you wish to change the error log format, you can add an
ErrorLogFormat directive in the Apache configuration file. The following snippet shows an example:
The following table shows some of the important fields in the error log:
Restarting the Apache web server service will show error messages like the following:
When you have multiple websites running on the same Apache web server, it’s best to set a separate log file location for each VirtualHost. This makes log management and error triage a lot easier. You can troubleshoot issues with a particular VirtualHost by searching through its log file only.
The snippet below shows how to set up a log file location for a VirtualHost in the Apache configuration file:
Here, we configure the VirtualHost
www.test.com and specify a custom location for its access and error logs.
You can also override server-level log directives at the VirtualHost level. For example, if you set up a
warn at the overall Apache web server level, you can set a different
LogLevel for a particular VirtualHost, as shown below:
With this configuration, the log level for
www.test.com will be
debug instead of the default
Log rotation is a log management technique in which log files older than a specified time or larger than a specific size are deleted, moved, renamed, or compressed. Without log rotation, the same log file continues to be used. Over time, your web server may run out of disk space. Also, since log files grow very large over time, this creates performance bottlenecks when reading from or writing to those log files.
You can use utilities like the Linux
logrotate to configure log rotation for Apache web server. It’s also advisable to set proper log retention policies so older log files can be deleted or moved to a different location. In a production system with multiple Apache web servers running, it’s best to send all the logs to a central log management system.
Both CentOS and Ubuntu ship with the
logrotate package. In order to set up Apache web server log rotation in RHEL-based systems, you can create a file called
/etc/logrotate.d/httpd.conf with the following settings:
This configuration will rotate all files under the
/var/log/httpd directory (in Debian-based systems like Ubuntu, change this to
/var/log/apache2) every day. Apache will rotate the log files in this directory when they reach 100MB in size and keep only the last seven rotated logs. All rotated log files will also be automatically compressed.
In Part One of our guide, we covered the basics of Apache web server logging. We looked at the two different types of log files, their locations, logging levels, and different log formats. We also covered how to configure some of these settings and rotate the log files.
Next, in Part Two of this guide, we’ll learn more advanced concepts like conditional logging, different logging modules, log file integrity monitoring, centralized log management, and log analysis.
October 31, 2022