Managing Logs in Apache | WebReference

Managing Logs in Apache

By Sukrit Dhandhania

Most distributions of Linux ship with a pretty well configured copy of the Apache web server. As far as the logging goes, the two log files that most Apache setups generate are access.log and error.log. You can also choose to add more logging for things like URL rewriting, or gzip compression. As these logs grow in size and number, they become harder to manage. Let's look at how to make logging more easily manageable in Apache.

Logging Directives

Before we get our hands dirty let us take a look at some of the Apache logging directives that are commonly used. These can be used to change the way logging works in Apache. The first directive is CustomLog. The CustomLog directive is used to set the log file name and its format. This directive is used to configure the access_log logs. Next comes LogFormat. This directive is used when you want to set the format for the access logs. LogLevel is the directive used to set the level of verbosity in the error logs.

Configure Logging

Configuring Apache logging to make it easier to manage can be done in several ways. The Apache configuration file, usually located at /etc/httpd/conf/httpd.conf, has a section that defines some basic logging in the default configuration file that ships with an Apache installation. The first thing to set is the LogLevel. This should generally be set to warn. You can set this to a higher level of verbosity on a development machine as you might want more information from the server. However, if you are running a production server you want to avoid creating too many logs as that will slow down the server.

Some of the other useful options for setting the level of logging are Emerg for emergencies, Crit for critical issues, Error to set it to error level, which is a little less verbose than warning level. The two most verbose options are Info and Debug. These write a lot of data, and can eat up space very quickly.

Next up is the LogFormat parameter. This is the directive used to set the format of the logs that are generated. You can set the user agent and other details of the log files. Note that you should avoid tweaking this unless you know what you are doing. This is especially the case if you plan to use a standard log file parsing tool to analyze your web server logs.

Configure Error Logs

As discussed earlier, there are two important logs created by default. The error log is one of them. This is the file where your web server writes all of the issues it encounters. This log can be a lifesaver when troubleshooting an issue with the server. The simplest way to configure the error log's parameter is to set it to something like this:

However, if you want to manage your logs in a smarter way, there are two things that you might want to use. The first is log rotation, and the other is setting up log file names to change on an hourly basis. The log rotation can be handled by a tool that ships with most Apache installations, called rotatelogs. You can find more information on its usage at the tool's website.

Setting up the logs to create hourly logs is a simple hack. For those familiar with the date command in Linux, the Apache configuration file understand and translate some of the date commands. It interprets %Y as year, %m as month, %d as date, and %H as the hour of the day. So if we use all these date strings together, like %Y-%m-%d-%H, we can trick the Apache error logs into writing to a new file every hour. The final error log's configuration would look something like this.

Access Logs

The other important log generated by Apache is the access log. This is the file where Apache logs information on every visitor and visit to the web server. This is extremely useful to track and monitor usage patterns, track malicious users, and basically keep an eye on proceedings. As your usage increases, so will the size of this file. So again, like the error file, it is a good idea to set the rotation policy we used for the error logs for the access logs as well. We use the same hourly rotation policy and setup the access logs to look something like this.

Here's what our final setup looks like. Make the modifications required for your setup. You might want to keep your logs some place other than /etc/httpd/logs/. You might also set the rotation to a daily basis rather than hourly if you don't generate too much traffic.

There's a lot of information and ideas in the Apache documentation on how to tweak your logging further. I suggest you go through some of it before tweaking the logging too much, especially if others are using the machine at hand.