Logging on a Remote Host - ApacheAdministrators need keep regular tabs on their Web servers to make they are running smoothly, so that their clients don't meet with any unpleasant surprises. Logging helps you to spot performance problems before they become an issue, and also assists in the detection of possible security concerns. This article will discuss configuring Apache for logging purposes, and will go into some detail about remote logging solutions. It is excerpted from Hardening Apache by Tony Mobily (Apress, 2004; ISBN: 1590593782).
print this article SEARCH DEV SHED |
At this point, you may wonder why syslogd was proposed to perform remote logging, when the syslog() call offers no way to specify a remote server. The reason is simple: a program (Apache, for instance) always uses the normal Unix domain socket (/dev/log) to log its messages. The syslogd daemon can be configured so that it doesn’t store the received log messages on a local file, but sends them to another syslogd daemon running on the Internet and (obviously) listening to the 514 UDP port. Adding a line in the syslog.conf file can do this: local0.info @remote_log_server.your_net.com This forwards all the requests marked with the local0 facility and the info log level to the remote_log_server.your_net.com host. You can see an example of this approach in Figure 3-2. Please note that here, as an example, the syslog daemon A doesn’t write any log files.
Testing syslogd The easiest way to test if your logging facility is working well is to use the logger utility (or the equivalent on your system). Suppose that you have an entry like this in the syslogd.conf file: # Our testing bed After modifying the file /etc/syslogd.conf file, remember to send a HUP signal to syslogd: [root@local_machine root]# killall -HUP syslogd Now, log a message using the logger utility, like this: [root@local_machine root]# logger -p local0.crit "Hello readers..." The /var/log/apache_book file will read like this: [root@local_machine root]# cat /var/log/apache_book Now, modify your syslog.conf in your local machine so that it contains: local0.* @remote_machine Also modify the syslog.conf in the host remote_machine so that it contains: local0.* /var/log/apache_book You need to run syslogd with the -r option on the remote machine. Running this command on the local machine: [root@local_machine root]# logger -p local0.crit “Hello readers...”will result in this message on the remote machine: [root@remote_machine root]# cat /var/log/apache_book It worked! All the logger command does is call syslogd(); it doesn’t know what is going to happen to the message. It could be written to a log file, it could be sent to a remote server, or it could even be completely ignored. This is the beauty and the power of the syslogd daemon. Apache Logging Using syslogdIn this section, I will explain how to configure Apache so that it logs its error log and access log using syslogd. Logging error_log through syslogd From Apache 1.3, all you have to do is write syslog where the file name would be written in the httpd.conf file, like this: LogLevel notice The log levels (listed in Table 3-1) are identical to the ones used by Apache in its error log. The syslog facility ID used by Apache by default is local7. Therefore, you need to add a line in the syslog.conf file like this: local7.* /var/log/apache_error_log You can set the facility in the httpd.conf file, writing this instead: LogLevel notice In this book, I will assume that your Apache uses the facility local7. You should tell syslogd that its configuration file has changed: [root@localhost root]# killall -HUP syslogd Restart your Apache daemon: [root@localhost root]# /usr/local/apache2/bin/apachectl restart If everything went well, you should see Apache’s log messages in /var/log/apache_error_log: [root@localhost root]# tail -f /var/log/apache_error_log It worked; Apache is now logging its errors through the syslogd daemon. Of course, if you want a remote host to actually store the messages, you have to change the file syslogd.conf to: local7.* You also need to restart your syslog daemon. The server @remote_log_server should preferably be on your own network, and should be configured to store messages from facility local7 on a local file. Of course, the fact that a remote logging server would be receiving the log entries would be totally transparent to Apache. Remember that the syslogd daemon on the server remote_log_server must be started with the -r option. Logging access_log through syslog Configuring Apache’s access_log through syslog is less straightforward than doing the same operation with error_log. There is no syslog option for the access_log directive. The reason behind this is that sending access log information to the syslog daemon isn’t something that many users would do, because syslogd is quite slow. If you get 10 requests a second, you might miss something important. Furthermore, it can be configured easily, even if Apache doesn’t support it directly. To do this, you can use a logging program that, instead of writing on a file, sends information to the syslog daemon. First of all, add the following line to your /etc/syslog.conf file: local1.info /var/log/apache_access_log Apache’s httpd.conf file should look like this: CustomLog "|/usr/bin/logger -p local1.info" common If your system doesn’t have a logger program, you should be able to find its equivalent quite easily. Now, restart Apache and to make syslog aware of the configuration changes: [root@localhost root]# killall -HUP syslogd Connect to your web server: [root@localhost root]# telnet localhost 80 HTTP/1.1 200 OK telnet> quit The new apache_access_log file should have a log entry like this: [root@localhost root]# cat /var/log/apache_access_log This log means that Apache is now logging its access log through syslog. Of course, you can easily change syslog’s configuration so that the access logs are redirected to a different machine, like this: local1.info @remote_log_server It is best to log all the access log messages with an info log level, so they are all of equal importance (unlike the log entries in Apache’s error log).
blog comments powered by Disqus |
|
|
|
|
|
|
|
/ 21 
