To complete Log Collection for your Apache Web Server, you will need to complete the Linux System Log Collection process first. Once you’ve completed that step, you can proceed on this page.

If you have a special logging configuration for your Apache Web Server, you may need to tweak the following configuration.  If you need help, you can send your active Apache configuration to [email protected], and we’ll make sure you get the correct configuration.

Configuring Apache Web Server Logs

1) Check Your Apache Config

As mentioned above, the following content expects that you will be logging out to /var/log/apache2/access.log and /var/log/apache2/error.log with appropriate log cycling – the Apache default.  If you have set this up in a different way through your vhosts or site configuration, you can replace the path in the later steps with those details.

Generally for default/not heavily modified configurations we would expect to see something like:

ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined

2) Ensure Spool Exists

Rsyslog must spool the data for Apache into a working directory.  Since the previous step should already be complete which uses the same directory, this should not often be an issue.  However, to avoid potential logging failures, run the following command to ensure that the folder defined below exists:

sudo ls /var/log/rsyslog

If for some reason you receive a No such file or directory error, run the following command.

sudo mkdir -v /var/spool/rsyslog
if [ "$(lsb_release -ds | grep Ubuntu)" != "" ]; then
   sudo chown -R syslog:adm /var/spool/rsyslog
fi

3) Add the Rsyslog Config File

Open or create the new Blumira Apache log configuration file:

sudo vim /etc/rsyslog.d/25-apache.conf

You can also use nano, emacs, of your preferred text editor.  The file just must be located at /etc/rsyslog.d/25-apache.conf.

Copy and paste the following content into the file:

# Prep
$ModLoad imfile
$InputFilePollInterval 10 
$PrivDropToGroup adm
$WorkDirectory /var/spool/rsyslog

# Apache Access File:
$InputFileName /var/log/apache2/access.log
$InputFileTag apache-access:
$InputFileStateFile stat-apache-access
$InputFileSeverity info
$InputFilePersistStateInterval 20000
$InputRunFileMonitor

# Apache Error File: 
$InputFileName /var/log/apache2/error.log
$InputFileTag apache-error:
$InputFileStateFile stat-apache-error
$InputFileSeverity error
$InputFilePersistStateInterval 20000
$InputRunFileMonitor

# Tag, Forward to BLUNIX System Logger then Stop
if $programname == 'apache-access' then stop
if $programname == 'apache-error' then stop

As mentioned above, you can change the paths of the Access and Error file if they are located at a different path on your system.

4) Restart the Rsyslog Service

Restart the rsyslog service to start processing Apache data via the new configuration.

sudo /etc/init.d/rsyslog restart

or

sudo service rsyslog restart