Skip to main content

Apache - Classic Collector

Thumbnail icon

The Apache app is a unified logs and metrics app that helps you monitor the availability, performance, health, and resource utilization of Apache web server farms. Preconfigured dashboards and searches provide visibility into your environment for real-time or historical analysis: visitor locations, visitor access types, traffic patterns, errors, web server operations, resource utilization, and access from known malicious sources.

Log types and metrics

The Sumo Logic app for Apache assumes:

  • The NCSA extended/combined log file format has been configured for Apache access logs and the default error log format for Apache Access logs and Apache Error logs. For a list of metrics that are collected and used by the app, see Apache Metrics.

  • The Apache - Overview dashboard is based on both Apache logs and metrics.

  • Dashboards in the Metrics folder are based on Apache metrics alone.

  • Dashboards and searches in the Logs folder are based on Apache access and error logs

Sample log messages

Access Logs
{
"timestamp":1620630466883,
"log":"192.168.29.177 - - [10/May/2021:07:07:44 +0000] \"GET / HTTP/1.1\" 200 45",
"stream":"stdout",
"time":"2021-05-10T07:07:44.649858568Z"
}
Error Logs
{
"timestamp":1620125665927,
"log":"[Tue May 04 10:54:25.460469 2021] [ssl:error] [pid 53] [client 192.168.85.135:52327] AH02042: rejecting client initiated renegotiation",
"stream":"stderr",
"time":"2021-05-04T10:54:25.460664201Z"
}

Sample queries

This sample Query is from the Top 5 Clients Causing 4xx Errors panel of the Apache - Web server Operations dashboard.

Query String
webserver_system=apache webserver_farm=* HTTP (40* OR 41* OR 42* OR 43* OR 44* or 45* or 49*)
| json "log" nodrop | if (_raw matches "{*", log, _raw) as mesg
| parse regex field=mesg "^(?<src_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" nodrop
| parse regex field=mesg "(?<method>[A-Z]+)\s(?<url>\S+)\sHTTP\/[\d\.]+[\\n]*\"\s(?<status_code>\d+)\s(?<size>[\d-]+)" nodrop
| parse regex field=mesg "(?<method>[A-Z]+)\s(?<url>\S+)\sHTTP\/[\d\.]+[\\n]*\"\s(?<status_code>\d+)\s(?<size>[\d-]+)\s\"(?<referrer>.*?)\"\s\"(?<user_agent>.+?)\".*" nodrop
| where status_code matches "4*"
| count as count by src_ip
| sort count, src_ip asc
| limit 5

Apache app Searches

The predefined searches in the Apache app are based on the Apache Access logs and Apache Error logs.

Searches based on Apache Access logs

  • Apache - All HTTP Response codes with their count
  • Apache - Client Errors (4xx response codes) per day
  • Apache - HTTP status code summary over time
  • Apache - Malicious URL requests
  • Apache - Robots
  • Apache - Slowest URLs by average time
  • Apache - Time taken to serve requests
  • Apache - Top 404 referrers
  • Apache - Top browsers
  • Apache - Top clients
  • Apache - Top clients causing errors responses
  • Apache - Top URLs by bytes served
  • Apache - Traffic volume and bytes served per day

Search based on Apache Error logs

  • Apache - Critical log messages
  • Apache - Log Level counts
  • Apache - Server start and stop events
  • Apache - Server stops and starts over time
  • Apache - Top error reasons
  • Apache - Top files causing errors
  • Apache - Top Referrers causing errors

Collecting logs and metrics for Apache

Sumo Logic supports the collection of logs and metrics data from Apache in both Kubernetes and non-Kubernetes environments. Please click on the appropriate link below based on the environment where your Apache farms are hosted.

In Kubernetes environments, we use the Telegraf Operator, which is packaged with our Kubernetes collection. You can learn more about it here.The diagram below illustrates how data is collected from Apache in Kubernetes environments. In the architecture shown below, there are four services that make up the metric collection pipeline: Telegraf, Telegraf Operator, Prometheus, and Sumo Logic Distribution for OpenTelemetry Collector.

Apache

The first service in the pipeline is Telegraf. Telegraf collects metrics from Apache. Note that we’re running Telegraf in each pod we want to collect metrics from as a sidecar deployment, meaning, Telegraf runs in the same pod as the containers it monitors.

Telegraf uses the Apache input plugin to obtain metrics. For simplicity, the diagram doesn’t show the input plugins. The injection of the Telegraf sidecar container is done by the Telegraf Operator. Prometheus pulls metrics from Telegraf and sends them to Sumo Logic Distribution for OpenTelemetry Collector, which enriches metadata and sends metrics to Sumo Logic.

In the logs pipeline, Sumo Logic Distribution for OpenTelemetry Collector collects logs written to standard out and forwards them to another instance of Sumo Logic Distribution for OpenTelemetry Collector, which enriches metadata and sends logs to Sumo Logic.

Prerequisites

Ensure that you are monitoring your Kubernetes clusters with the Telegraf operator. If you're not, see these instructions to do so.

Configure metrics collection

Follow the steps below to collect metrics from a Kubernetes environment:

  1. Add configuration to enable metrics on Apache pods:
configuration: |-
ServerName localhost:8080
<IfModule status_module>
ExtendedStatus On
<Location /server-status>
Sethandler server-status
order deny,allow
allow from all
</Location>
</IfModule>
  1. Add annotations on your Apache pods:
annotations:
telegraf.influxdata.com/class: sumologic-prometheus
prometheus.io/scrape: "true"
prometheus.io/port: "9273"
telegraf.influxdata.com/inputs: |+
[[inputs.apache]]
< urls = ["http://localhost:8080/server-status?auto"] >
[inputs.apache.tags]
environment = "<prod_CHANGE_ME>"
component = "webserver"
webserver_system = "apache"
webserver_farm = "<app1apacheeks_CHANGE_ME>"
  1. Enter in values for the parameters marked in brackets (< >) above.

    • telegraf.influxdata.com/inputs: This contains the required configuration for the Telegraf Apache Input plugin. Please refer to this doc for more information on configuring the Apache input plugin for Telegraf. Note: As telegraf will be run as a sidecar the host should always be localhost.
      • In the input plugins section:
        • urls: The URL to the Apache server
        • In the tags section [inputs.apache.tags]
        • environment: This is the deployment environment where the Apache webserver farm identified by the value of urls resides. For example: dev, prod or qa. While this value is optional we highly recommend setting it.
        • webserver_farm: Enter a name to uniquely identify this Apache Webserver farm. This Apache webserver farm name will be shown in the Sumo Logic dashboards.
    warning
    Do not modify the following values

    Modifying these values will cause the Sumo Logic apps to function incorrectly.

    • telegraf.influxdata.com/class: sumologic-prometheus: Instructs the Telegraf operator on what output to use.
    • prometheus.io/scrape: "true": Ensures our Prometheus will scrape the metrics.
    • prometheus.io/port: "9273": Tells Prometheus what ports to scrape on.
    • telegraf.influxdata.com/inputs
      • In the tags section [inputs.apache.tags]
      • component: “webserver”: Used by Sumo Logic apps to identify application components.
      • webserver_system: “apache”: Identifies the webserver system.
    • For more information on other parameters and properties that you can configure in the Telegraf agent globally, see Configuring_Telegraf.
    • For more information on configuring the Apache input plugin for Telegraf, see this doc.
  2. Sumo Logic Kubernetes collection will automatically start collecting metrics from the pods having the configuration and annotations defined in the previous step.

  3. Verify metrics in Sumo Logic by running the following metrics query:

webserver_farm=<your_apache_webserver_farmname> \
component="webserver" and webserver_system="apache"

Configure logs collection

This section explains the steps to collect Apache logs from a Kubernetes environment.

  1. Collect Apache logs written to standard output and standard error. If your Apache helm chart/pod is writing the logs to standard output or standard error then follow the steps listed below to collect the logs:

    1. On your Apache pods, add the following pod labels:
    environment: "<prod_CHANGE_ME>"
    component: "webserver"
    webserver_system: "apache"
    webserver_farm: "<app1apacheeks_CHANGE_ME>"
    1. Enter in values for the parameters marked in brackets (< >) above.
      • environment: This is the deployment environment where the Apache webserver farm identified by the value of urls resides. For example: dev, prod or qa. While this value is optional we highly recommend setting it.
      • webserver_farm: Enter a name to identify this Apache webserver farm. This Apache webserver farm name will be shown in the Sumo Logic dashboards.
    warning
    Do not modify the following values

    Modifying these values will cause the Sumo Logic apps to function incorrectly

    • component: “webserver”: This value is used by Sumo Logic apps to identify application components.
    • webserver_system: “apache”: This value identifies the webserver system.
    • For all other parameters, please see this doc for more parameters that can be configured in the Telegraf agent globally.
    1. Make sure that the Apache pods are running and annotations are applied by using the command:
    kubectl describe pod <apache_pod_name>

    The Sumo Logic Kubernetes Collection process will automatically capture the logs from stdout/stderr and will send the logs to Sumo Logic. For more information on deploying the Sumo Logic-Kubernetes-Collection, please see this page.


FER to normalize the fields in Kubernetes environments. Labels created in Kubernetes environments automatically are prefixed with pod_labels. To normalize these for our app to work, a Field Extraction Rule named AppObservabilityApacheWebserverFER is automatically created for Apache Web Server Application Components.


Installing the Apache app

To install the app, do the following:

note

Next-Gen App: To install or update the app, you must be an account administrator or a user with Manage Apps, Manage Monitors, Manage Fields, Manage Metric Rules, and Manage Collectors capabilities depending upon the different content types part of the app.

  1. Select App Catalog.
  2. In the 🔎 Search Apps field, run a search for your desired app, then select it.
  3. Click Install App.
    note

    Sometimes this button says Add Integration.

  4. Click Next in the Setup Data section.
  5. In the Configure section of your respective app, complete the following fields.
    1. Field Name. If you already have collectors and sources set up, select the configured metadata field name (eg _sourcecategory) or specify other custom metadata (eg: _collector) along with its metadata Field Value.
    2. Is K8S deployment involved. Specify if resources being monitored are partially or fully deployed on Kubernetes (K8s)
  6. Click Next. You will be redirected to the Preview & Done section.

Post-installation

Once your app is installed, it will appear in your Installed Apps folder, and dashboard panels will start to fill automatically.

Each panel slowly fills with data matching the time range query received since the panel was created. Results will not immediately be available but will be updated with full graphs and charts over time.

As part of the app installation process, the following fields will be created by default:

  • component
  • environment
  • webserver_system
  • webserver_farm

Additionally, if you're using Apache in the Kubernetes environment, the following additional fields will be created by default during the app installation process:

  • pod_labels_component
  • pod_labels_environment
  • pod_labels_webserver_system
  • pod_labels_webserver_farm

Viewing Apache dashboards

All dashboards have a set of filters that you can apply to the entire dashboard. Use these filters to drill down and examine the data to a granular level.

  • You can change the time range for a dashboard or panel by selecting a predefined interval from a drop-down list, choosing a recently used time range, or specifying custom dates and times. Learn more.
  • You can use template variables to drill down and examine the data on a granular level. For more information, see Filtering Dashboards with Template Variables.
  • Most Next-Gen apps allow you to provide the scope at the installation time and are comprised of a key (_sourceCategory by default) and a default value for this key. Based on your input, the app dashboards will be parameterized with a dashboard variable, allowing you to change the dataset queried by all panels. This eliminates the need to create multiple copies of the same dashboard with different queries.

Overview

The Apache - Overview Dashboard provides an at-a-glance view of the activity and health of the Apache web server farms, and servers by monitoring uptime, requests, response, traffic, visitor geographic locations, and critical error messages.

Use this dashboard to:

  • Get an at-a-glance view of the state of all your Apache web servers.
  • Identify the top URLs causing errors.
  • Identify the top critical error messages.
test

Error log analysis

The Apache - Error Log Analysis dashboard provides a high-level view of error log levels, clients causing errors, critical error messages and trends.

Use this dashboard to:

  • Quickly identify critical errors affecting your Apache web servers.
  • Analyze types and patterns of log messages in your Apache web servers.
  • Identify clients causing the most errors.
  • Monitor trends in error logs and identify outliers.
test

The Apache - Trends dashboard provides trends around HTTP responses, server hits, visitor locations, traffic volume, and distribution.

Use this dashboard to:

  • Monitor trends and identify outliers.
test

Outlier Analysis

The Apache - Outlier Analysis dashboard helps you quickly identify outliers for key Apache metrics such as bytes served, number of visitors, server errors, and client errors.

Use this dashboard to:

  • Automatically detect outliers in the operations of your Apache web servers and take corrective actions if needed.
test

Threat Analysis

The Apache - Threat Intel dashboard provides an at-a-glance view of incoming threats to your Apache servers based on known malicious IP addresses.

Dashboard panels show threat counts, geographic locations, actors, threat severity, and URLS accessed.

Use this dashboard to:

  • Identify threats from incoming traffic based on incoming client IP addresses and discover potential IOCs.
test

Visitor Locations

The Apache - Visitor Locations dashboard provides a high-level view of Apache visitor geographic locations both worldwide and in the United States.

Use this dashboard to:

  • Get insights into the geographic locations of your user base.
test

Visitor Access Types

The Apache - Visitor Access Types dashboard provides insights into visitor platform types, browsers, device types, and operating systems.

Use this dashboard to:

  • Understand which platform and browsers are being used to access your applications.
test

Visitor Traffic Insight

The Apache - Visitor Traffic Insight dashboard provides summarized information on the top URLs, referrers, search terms, and media types served.

Use this dashboard to:

  • To understand content types of content that are frequently requested by users.
test

Web Server Operations

The Apache - Web Server Operations Dashboard provides an at-a-glance view of the operations of your Apache web servers. Dashboard panels show information on bots, geographic locations, errors and URLs.

Use this dashboard to:

  • Get insights into client locations, bots, and response codes.
test

Request State Analysis

The Apache - Request State Analysis dashboard shows trends around the state of incoming requests to your Apache web servers.

Use this dashboard to:

  • Monitor the state of requests being handled by worker threads over time and take remedial actions to optimize your web servers if needed.
test

Server Resource Utilization

The Apache - Server Resource Utilization dashboard shows the CPU resource utilization and load across threads and CPU of your Apache web servers.

Use this dashboard to:

  • Monitor CPU utilization and load on your Apache web servers.
  • Monitor the number of workers and idle threads.
test

Server Status

The Apache - Server Status dashboard shows information related to the state of your Apache server and includes information such as requests and bytes served and latency information on the number of requests served, time taken to serve the request, and bytes served.

Use this dashboard to:

  • Monitor server uptime.
  • Monitor web server performance.
test

Create monitors for Apache app

From your App Catalog:

  1. From the Sumo Logic navigation, select App Catalog.
  2. In the Search Apps field, search for and then select your app.
  3. Make sure the app is installed.
  4. Navigate to What's Included tab and scroll down to the Monitors section.
  5. Click Create next to the pre-configured monitors. In the create monitors window, adjust the trigger conditions and notifications settings based on your requirements.
  6. Scroll down to Monitor Details.
  7. Under Location click on New Folder.
    note

    By default, monitor will be saved in the root folder. So to make the maintenance easier, create a new folder in the location of your choice.

  8. Enter Folder Name. Folder Description is optional.
    tip

    Using app version in the folder name will be helpful to determine the versioning for future updates.

  9. Click Create. Once the folder is created, click on Save.

Apache alerts

Here are the alerts available for Apache (click to expand).
Alert NameAlert DescriptionAlert ConditionRecover Condition
Apache - Critical Error MessagesThis alert fires when we detect critical error messages for a given Apache server.> 00
Apache - Access from Highly Malicious SourcesThis alert fires when an Apache is accessed from highly malicious IP addresses.> 00
Apache - High Client (HTTP 4xx) Error RateThis alert fires when there are too many HTTP requests (>5%) with a response status of 4xx.> 00
Apache - High Server (HTTP 5xx) Error RateThis alert fires when there are too many HTTP requests (>5%) with a response status of 5xx.> 00
Apache - High CPU UtilizationThis alert fires when the average CPU utilization within a 5-minute interval for an Apache Webserver farm instance is high (>= 85%).>= 85< 85
Apache - Server RestartedThis alert fires when we detect low uptime (<= 10 minutes) for a given Apache server within a 5-minute interval.<= 600> 600

Apache Metrics

Here are the metrics available for Apache (click to expand).

apache_BusyWorkers
apache_BytesPerReq
apache_BytesPerSec
apache_CPUChildrenSystem
apache_CPUChildrenUser
apache_CPULoad
apache_CPUSystem
apache_CPUUser
apache_DurationPerReq
apache_IdleWorkers
apache_Load1
apache_Load5
apache_Load15
apache_ParentServerConfigGeneration
apache_ParentServerMPMGeneration
apache_ReqPerSec
apache_ServerUptimeSeconds
apache_TotalAccesses
apache_TotalDuration
apache_TotalkBytes
apache_Uptime
apache_scboard_closing
apache_scboard_dnslookup
apache_scboard_finishing
apache_scboard_idle_cleanup
apache_scboard_keepalive
apache_scboard_logging
apache_scboard_open
apache_scboard_reading
apache_scboard_sending
apache_scboard_starting
apache_scboard_waiting

Status
Legal
Privacy Statement
Terms of Use

Copyright © 2025 by Sumo Logic, Inc.