Skip to main content
Sumo Logic

Collect Logs for Apache Tomcat

This procedure documents how to collect logs from Apache Tomcat into Sumo Logic.

Log Types

The Sumo Logic App for Apache Tomcat uses three types of logs:

Configure a Collector

Configure a Hosted Collector.

Configure a Source

  1. Configure a Local File Source.
  2. Configure the Source fields:
    1. Name. (Required) A name is required. Description is optional.
    2. File Path. Typically /var/log/tomcat7
    3. Source Category. (Required) The Source Category metadata field is a fundamental building block to organize and label Sources. For details see Best Practices.
  3. Configure the Advanced section:
    1. Enable Timestamp Parsing. True
    2. Time Zone. Make sure to set it to (UTC) Etc/UTC
    3. Timestamp Format. Auto Detect
  4. Click Save.

Field Extraction Rules

Apache Tomcat Access Logs

| parse regex "(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}? )" 
| parse regex "\"(?<method>\D{1,7}? )" 
| parse regex "\"\D{1,7} (?<url>\S{1,2048}? )" 
| parse regex "\" (?<status>\d{3}? )" 
| parse regex "\" \d{3} (?<time_taken>\d{1,}? )" 
| parse regex "\" \d{3} \d{1,} (?<bytes_sent>\d{1,}?)"

Sample Log Messages

10.255.145.54 - - [11/Jan/2017:19:48:09 +0000] "POST /sample/post/v1/Document HTTP/1.1" 200 52080 "-" "Apache XYZ  2.7.10" 114 http-abc-8080-abc-170

10.171.131.162 - - [11/Jan/2017:19:48:09 +0000] "GET /this/is/a/urlgetList?_dc=14841645219073&objectUuid=&companyUuid=&showDistributionList=false&page=1&start=0&limit=25&sort=%5B%7B%22test%22%3A%22p.test%22%2C%22direction%22%3A%22ASC%22%7D%5D HTTP/1.1" 200 11111 

"https://example.notarealhostname.com/Contracts/user.do?appUserUuid=7e12ac65-41b9-449b-b483-425a9e29a244" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36" 280 http-nio-8080-exec-223

Query Sample

Response types

_sourceCategory=Tomcat/*
| parse regex "(?<remote_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s+(?<user>\S+)\s+(?<hostname>[\S]+)\s+\[" nodrop
| parse regex "(?<remote_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s+(?<local_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s+(?<user>\S+)\s+(?<hostname>[\S]+)\s+\[" nodrop
| parse regex "\s+\[(?<date>[^\]]+)\]\s+\"(?<method>\w+)\s+(?<uri>\S+)\s+(?<protocol>\S+)\"\s+(?<status_code>\d+)\s+(?<size>[\d-]+)" nodrop
| parse regex "\"\s+\d+\s+[\d-]+\s+(?<timetaken>[\d-]+)"
| if(status_code matches "2*", "successes", "Others") as status
| if(status_code matches "3*", "redirects", status) as status 
| if(status_code matches "4*", "client_errors", status) as status
| if(status_code matches "5*", "server_errors", status) as status
| count by status | sort by _count

Sumo Logic App

Now that you have set up collection for Apache Tomcat, install the Sumo Logic App for Apache Tomcat to use the preconfigured searches and dashboards that provide insight into website visitor behavior patterns, monitors server operations, and assists in troubleshooting issues that span entire web server farms.