Skip to main content
Sumo Logic

Collect Logs for Apache

This procedure documents how to collect logs from Apache into Sumo Logic.

Log Types

Apache assumes the NCSA extended/combined log file format for Access logs and the default Apache error log file format for error logs.

For more details on custom log formats, see Apache Module mod_log_config.

Configure a Collector

Configure an Installed Collector

Sumo Logic recommends that you install the collector on the same system that hosts the logs. 

Configure a Source

  1. Configure a Local File Source.
  2. Configure the Source fields:
    1. Name. (Required) A name is required. Description is optional.
    2. File Path. (Required) Typically /var/log/apache/access.log.
    3. Source Category. (Required) The Source Category metadata field is a fundamental building block to organize and label Sources. Example: prod/web/apache/access. For details see Best Practices.
  3. Configure the Advanced section:
    1. Enable Timestamp Parsing. True
    2. Time Zone. Make sure to set it to (UTC) Etc/UTC
    3. Timestamp Format. Auto Detect
  4. Click Save.

Field Extraction Rules

When creating an FER you have the option to select from a template for Apache Access Logs.

| parse regex "^(?<src_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" 
| parse regex "(?<method>[A-Z]+)\s(?<url>\S+)\sHTTP/[\d\.]+\"\s(?<status_code>\d+)\s(?<size>[\d-]+)\s\"(?<referrer>.*?)\"\s\"(?<user_agent>.+?)\".*"

Sample Log Messages

38.99.50.98 - - [06/Jan/2017:15:43:56 +0000] "GET /icons/ubuntu-logo.png HTTP/1.1" 200 3688 "http://sample.org/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.95 Safari/537.36"
38.99.50.98 - - [06/Jan/2017:15:43:56 +0000] "GET /favicon.ico HTTP/1.1" 404 498 "http://sample.org/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.95 Safari/537.36"

Query Samples

All HTTP response codes with their counts

_sourceCategory=apache | parse regex "^(?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" nodrop | parse regex "(?[A-Z]+)\s(?\S+)\sHTTP/[\d\.]+\"\s(?\d+)\s(?[\d-]+)" nodrop | parse regex "(?[A-Z]+)\s(?\S+)\sHTTP/[\d\.]+\"\s(?\d+)\s(?[\d-]+)\s\"(?.*?)\"\s\"(?.+?)\".*" nodrop | count by status_code | sort by _count