Skip to main content
Sumo Logic

Collect Logs and Metrics for Apache

Collect Logs for Apache

This page provides instructions for configuring log and metric collection for the Sumo Logic App for Apache.

Collection Process Overview

Configuring log and metric collection for the Apache App includes the following tasks:

Step 1: Configure Fields in Sumo Logic

Create the following Fields in Sumo Logic prior to configuring collection. This ensures that your logs and metrics are tagged with relevant metadata, which is required by the app dashboards. For information on setting up fields, see the Fields help page.

If you are using Apache in a non-Kubernetes environment create the fields:

  • component
  • environment
  • webserver_system
  • webserver_farm

If you are using Apache in a Kubernetes environment create the fields:

  • pod_labels_component
  • pod_labels_environment
  • pod_labels_webserver_system
  • pod_labels_webserver_farm

Step 2: Configure Collection for Apache

Sumo Logic supports collection of logs and metrics data from Apache in both Kubernetes and non-Kubernetes environments. 

Please click on the appropriate links below based on the environment where your Apache farms are hosted. 

Sample Log Messages

For Kubernetes:

Access Logs:
"log":" - - [10/May/2021:07:07:44 +0000] \"GET / HTTP/1.1\" 200 45",
Error Logs:
"log":"[Tue May 04 10:54:25.460469 2021] [ssl:error] [pid 53] [client] AH02042: rejecting client initiated renegotiation",

For Non-Kubernetes

Access Logs: - - [26/Apr/2021:12:18:32 +0530] "GET /server-status HTTP/1.1" 404 196
Error Logs:
[Mon Apr 26 09:52:58.188858 2021] [core:notice] [pid 530] AH00094: Command line: '/usr/sbin/httpd -D FOREGROUND'

Query Sample

This sample Query is from the Top 5 Clients Causing 4xx Errors panel of the Apache - Webserver Operations dashboard.

Query String:

webserver_system=apache webserver_farm=* HTTP (40* OR 41* OR 42* OR 43* OR 44* or 45* or 49*)
| json "log" nodrop | if (_raw matches "{*", log, _raw) as mesg
| parse regex field=mesg "^(?<src_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" nodrop
| parse regex field=mesg "(?<method>[A-Z]+)\s(?<url>\S+)\sHTTP\/[\d\.]+[\\n]*\"\s(?<status_code>\d+)\s(?<size>[\d-]+)" nodrop
| parse regex field=mesg "(?<method>[A-Z]+)\s(?<url>\S+)\sHTTP\/[\d\.]+[\\n]*\"\s(?<status_code>\d+)\s(?<size>[\d-]+)\s\"(?<referrer>.*?)\"\s\"(?<user_agent>.+?)\".*" nodrop
| where status_code matches "4*"
| count as count by src_ip
| sort count, src_ip asc
| limit 5