Skip to main content
Sumo Logic

Collect Logs for Apache

This procedure documents how to collect logs from Apache into Sumo Logic.

Log Types

Apache assumes the NCSA extended/combined log file format for Access logs and the default Apache error log file format for error logs.

For more details on custom log formats, see Apache Module mod_log_config.

Configure a Collector

Configure an Installed Collector

Sumo Logic recommends that you install the collector on the same system that hosts the logs. 

Configure a Source

  1. Configure a Local File Source.
  2. Configure the Source fields:
    1. Name. (Required) A name is required. Description is optional.
    2. File Path. (Required) Typically /var/log/apache/access.log.
    3. Source Category. (Required) The Source Category metadata field is a fundamental building block to organize and label Sources. Example: prod/web/apache/access. For details see Best Practices.
  3. Configure the Advanced section:
    1. Enable Timestamp Parsing. True
    2. Time Zone. Make sure to set it to (UTC) Etc/UTC
    3. Timestamp Format. Auto Detect
  4. Click Save.

Field Extraction Rules

When creating an FER you have the option to select from a template for Apache Access Logs.

| parse regex "^(?<src_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" 
| parse regex "(?<method>[A-Z]+)\s(?<url>\S+)\sHTTP/[\d\.]+\"\s(?<status_code>\d+)\s(?<size>[\d-]+)\s\"(?<referrer>.*?)\"\s\"(?<user_agent>.+?)\".*"

Sample Log Messages

38.99.50.98 - - [06/Jan/2017:15:43:56 +0000] "GET /icons/ubuntu-logo.png HTTP/1.1" 200 3688 "http://sample.org/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.95 Safari/537.36"
38.99.50.98 - - [06/Jan/2017:15:43:56 +0000] "GET /favicon.ico HTTP/1.1" 404 498 "http://sample.org/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.95 Safari/537.36"

Query Samples

All HTTP response codes with their counts

_sourceCategory=apache | parse regex "^(?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" nodrop | parse regex "(?[A-Z]+)\s(?\S+)\sHTTP/[\d\.]+\"\s(?\d+)\s(?[\d-]+)" nodrop | parse regex "(?[A-Z]+)\s(?\S+)\sHTTP/[\d\.]+\"\s(?\d+)\s(?[\d-]+)\s\"(?.*?)\"\s\"(?.+?)\".*" nodrop | count by status_code | sort by _count

Sumo Logic App

Now that you have set up collection for Apache, install the Sumo Logic App for Apache to use the preconfigured searches and dashboards that provide insight into website visitor behavior patterns, monitors server operations, and assists in troubleshooting issues that span entire web server farms.