Collect Logs for Apache
This procedure documents how to collect logs from Apache into Sumo Logic.
Log Types
Apache assumes the NCSA extended/combined log file format for Access logs and the default Apache error log file format for error logs.
For more details on custom log formats, see Apache Module mod_log_config.
Configure a Collector
Configure an Installed Collector.
Sumo Logic recommends that you install the collector on the same system that hosts the logs.
Configure a Source
- Configure a Local File Source.
- Configure the Source fields:
- Name. (Required) A name is required. Description is optional.
- File Path. (Required) Typically
/var/log/apache/access.log. - Source Category. (Required) The Source Category metadata field is a fundamental building block to organize and label Sources. Example: prod/web/apache/access. For details see Best Practices.
- Configure the Advanced section:
- Enable Timestamp Parsing. True
- Time Zone. Logs are in UTC by default
- Timestamp Format. Auto Detect
- Click Save.
Field Extraction Rules
When creating an FER you have the option to select from a template for Apache Access Logs.
| parse regex "^(?<src_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"
| parse regex "(?<method>[A-Z]+)\s(?<url>\S+)\sHTTP/[\d\.]+\"\s(?<status_code>\d+)\s(?<size>[\d-]+)\s\"(?<referrer>.*?)\"\s\"(?<user_agent>.+?)\".*"
Sample Log Messages
38.99.50.98 - - [06/Jan/2017:15:43:56 +0000] "GET /icons/ubuntu-logo.png HTTP/1.1" 200 3688 "http://sample.org/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.95 Safari/537.36"
38.99.50.98 - - [06/Jan/2017:15:43:56 +0000] "GET /favicon.ico HTTP/1.1" 404 498 "http://sample.org/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.95 Safari/537.36"
Query Samples
All HTTP response codes with their counts
_sourceCategory=apache | parse regex "^(?