Skip to main content
Sumo Logic

Collect Logs for Apache

This procedure documents how to collect logs from Apache into Sumo Logic.

Log types

Apache assumes the NCSA extended/combined log file format for Access logs and the default Apache error log file format for error logs. For more details on custom log formats, see Apache Module mod_log_config.

Process overview

To configure log collection for the Apache App you perform the following tasks:

  1. Change the Apache configuration file to configure the error log format.
  2. Install a Sumo Logic collector.
  3. Configure two local file sources, one for Apache access Logs and the other for Apache error logs.

Step 1: Configure Apache error log format

Configuring the error log format allows you to specify the information that is logged in the error log, in addition to the actual log message.

To specify the format for error log entries, do the following:

  1. Open the Apache  config file in an ASCII text editor.  On most systems, if you installed Apache with a package manager or it came preinstalled, the Apache configuration file is located in one of the following locations: /etc/apache2/httpd.conf or /etc/apache2/apache2.conf.
  2. Configure the Apache error log format, as described in the Apache ErrorLogFormat documentation.
  1. Add the following lines to the configuration file:
ErrorLogFormat connection "[%t] New connection: [connection: %{c}L] [client %a]"
ErrorLogFormat request "[%t] New request: [connection: %{c}L] [request: %L] [pid %P] %F: %E: [client %a]"
ErrorLogFormat "[%t] [%l] [C: %{c}L] [R: %L] [pid %P] %F: %E: [client %a] %M"
  1. Save the modified file and restart the Apache Web Server.

Step 2: Configure a collector

To configure a Sumo Logic collector, follow the instructions on the Installed Collector page.

Step 3: Configure two local file sources

This task shows you how to configure the following two local file sources:

  • Local file source for Apache Access Log
  • Local file source for Apache Error Log

To configure a local file source for Apache Access Log, do the following:

  1. Configure a Local File Source (for Apache Access Log).
  2. Configure the Source fields:
    1. Name. (Required) A name is required. Description is optional.
    2. File Path. (Required) Typically /var/log/apache/access.log.
    3. Source Category. (Required) The Source Category metadata field is a fundamental building block to organize and label Sources. Example: prod/web/apache/error. For details see Best Practices.
  3. Configure the Advanced section:
    1. Enable Timestamp Parsing. True
    2. Time Zone. Logs are in UTC by default​​​​
    3. Timestamp Format. Auto Detect
  4. Click Save.

To configure a local file source for Apache Error Log, do the following:

  1. Configure a Local File Source (for Apache Error Log).
  2. Configure the Source fields:
    1. Name. (Required) A name is required. Description is optional.
    2. File Path. (Required) Typically /var/log/apache/error.log or /var/log/apache2/errorlog.
    3. Source Category. (Required) The Source Category metadata field is a fundamental building block to organize and label Sources. Example: prod/web/apache/access. For details see Best Practices.
  3. Configure the Advanced section:
    1. Enable Timestamp Parsing. True
    2. Time Zone. Logs are in UTC by default​​​​
    3. Timestamp Format. Auto Detect
  4. Click Save.

Field extraction rules

When creating an FER you have the option to select from a template for Apache Access Logs.

| parse regex "^(?<src_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" 
| parse regex "(?<method>[A-Z]+)\s(?<url>\S+)\sHTTP/[\d\.]+\"\s(?<status_code>\d+)\s(?<size>[\d-]+)\s\"(?<referrer>.*?)\"\s\"(?<user_agent>.+?)\".*"

Sample log messages

38.99.50.98 - - [06/Jan/2017:15:43:56 +0000] "GET /icons/ubuntu-logo.png HTTP/1.1" 200 3688 "http://sample.org/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.95 Safari/537.36"
38.99.50.98 - - [06/Jan/2017:15:43:56 +0000] "GET /favicon.ico HTTP/1.1" 404 498 "http://sample.org/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.95 Safari/537.36"

Query samples

All HTTP response codes with their counts

_sourceCategory=apache | parse regex "^(?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" nodrop | parse regex "(?[A-Z]+)\s(?\S+)\sHTTP/[\d\.]+\"\s(?\d+)\s(?[\d-]+)" nodrop | parse regex "(?[A-Z]+)\s(?\S+)\sHTTP/[\d\.]+\"\s(?\d+)\s(?[\d-]+)\s\"(?.*?)\"\s\"(?.+?)\".*" nodrop | count by status_code | sort by _count