Logging in Apache - Logging on a Remote Host
(Page 5 of 8 )

At this point, you may wonder why syslogd was proposed to perform remote logging, when the syslog() call offers no way to specify a remote server.

The reason is simple: a program (Apache, for instance) always uses the normal Unix domain socket (/dev/log) to log its messages. The syslogd daemon can be configured so that it doesn’t store the received log messages on a local file, but sends them to another syslogd daemon running on the Internet and (obviously) listening to the 514 UDP port. Adding a line in the syslog.conf file can do this:

local0.info @remote_log_server.your_net.com

This forwards all the requests marked with the local0 facility and the info log level to the remote_log_server.your_net.com host. You can see an example of this approach in Figure 3-2. Please note that here, as an example, the syslog daemon A doesn’t write any log files.

Figure 3-2. Syslog’s structure for remote logging

Testing syslogd

The easiest way to test if your logging facility is working well is to use the logger utility (or the equivalent on your system). Suppose that you have an entry like this in the syslogd.conf file:

# Our testing bed
local0.*                               /var/log/apache_book

After modifying the file /etc/syslogd.conf file, remember to send a HUP signal to syslogd:

[root@local_machine root]# killall -HUP syslogd

Now, log a message using the logger utility, like this:

[root@local_machine root]# logger -p local0.crit "Hello readers..."

The /var/log/apache_book file will read like this:

[root@local_machine root]# cat /var/log/apache_book
Oct 6 19:35:31 localhost logger: Hello readers...

Now, modify your syslog.conf in your local machine so that it contains:

local0.*                             @remote_machine

Also modify the syslog.conf in the host remote_machine so that it contains:

local0.*                             /var/log/apache_book

You need to run syslogd with the -r option on the remote machine. Running this command on the local machine:

[root@local_machine root]# logger -p local0.crit “Hello readers...”

will result in this message on the remote machine:

[root@remote_machine root]# cat /var/log/apache_book
Oct 6 19:35:31 local_machine logger: Hello readers...
[root@remote _machine root]#

It worked! All the logger command does is call syslogd(); it doesn’t know what is going to happen to the message. It could be written to a log file, it could be sent to a remote server, or it could even be completely ignored. This is the beauty and the power of the syslogd daemon.

Apache Logging Using syslogd

In this section, I will explain how to configure Apache so that it logs its error log and access log using syslogd.

Logging error_log through syslogd

From Apache 1.3, all you have to do is write syslog where the file name would be written in the httpd.conf file, like this:

LogLevel notice
ErrorLog syslog

The log levels (listed in Table 3-1) are identical to the ones used by Apache in its error log.

The syslog facility ID used by Apache by default is local7. Therefore, you need to add a line in the syslog.conf file like this:

local7.*                          /var/log/apache_error_log

You can set the facility in the httpd.conf file, writing this instead:

LogLevel notice
ErrorLog syslog:local0

In this book, I will assume that your Apache uses the facility local7. You should tell syslogd that its configuration file has changed:

[root@localhost root]# killall -HUP syslogd

Restart your Apache daemon:

[root@localhost root]# /usr/local/apache2/bin/apachectl restart

If everything went well, you should see Apache’s log messages in /var/log/apache_error_log:

[root@localhost root]# tail -f /var/log/apache_error_log
Oct 6 20:30:53 localhost httpd[1837]: [notice] Digest: generating secret for digest authentication ...
Oct 6 20:30:53 localhost httpd[1837]: [notice] Digest: done
Oct 6 20:30:54 localhost httpd[1837]: [notice] Apache/2.0.40 (Unix) DAV/2
PHP/4.2.3 configured -- resuming normal operations

It worked; Apache is now logging its errors through the syslogd daemon. Of course, if you want a remote host to actually store the messages, you have to change the file syslogd.conf to:

local7.*
@remote_log_server.yout_net.com

You also need to restart your syslog daemon.

The server @remote_log_server should preferably be on your own network, and should be configured to store messages from facility local7 on a local file. Of course, the fact that a remote logging server would be receiving the log entries would be totally transparent to Apache. Remember that the syslogd daemon on the server remote_log_server must be started with the -r option.

Logging access_log through syslog

Configuring Apache’s access_log through syslog is less straightforward than doing the same operation with error_log. There is no syslog option for the access_log directive. The reason behind this is that sending access log information to the syslog daemon isn’t something that many users would do, because syslogd is quite slow. If you get 10 requests a second, you might miss something important. Furthermore, it can be configured easily, even if Apache doesn’t support it directly. To do this, you can use a logging program that, instead of writing on a file, sends information to the syslog daemon.

First of all, add the following line to your /etc/syslog.conf file:

local1.info /var/log/apache_access_log

Apache’s httpd.conf file should look like this:

CustomLog "|/usr/bin/logger -p local1.info" common

If your system doesn’t have a logger program, you should be able to find its equivalent quite easily.

Now, restart Apache and to make syslog aware of the configuration changes:

[root@localhost root]# killall -HUP syslogd
[root@localhost root]# /usr/local/apache2/bin/apachectl restart

Connect to your web server:

[root@localhost root]# telnet localhost 80
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
GET / HTTP/1.1
Host: me

HTTP/1.1 200 OK
[...]

telnet> quit
Connection closed.
[root@localhost root]#

The new apache_access_log file should have a log entry like this:

[root@localhost root]# cat /var/log/apache_access_log
Oct 6 21:38:16 localhost logger: 127.0.0.1 - - [06/Oct/2002:21:38:13 +0800]
"GET / HTTP/1.1" 200 1018

This log means that Apache is now logging its access log through syslog. Of course, you can easily change syslog’s configuration so that the access logs are redirected to a different machine, like this:

local1.info @remote_log_server

It is best to log all the access log messages with an info log level, so they are all of equal importance (unlike the log entries in Apache’s error log).

Next: Advantages and Disadvantages of Logging on a Remote Machine >>
 

More Apache Articles
More By Apress Publishing

Comments On: Logging in Apache

· I am not having success getting requst times to be logged in apache. I have used...   >>> Post your comment now!

Buy this book...

This article is taken from chapter three of the book Hardening Apache by Tony Mobily (Apress, 2004; ISBN: 1590593782). Check it out at your favorite bookstore. Buy this book now.