Return to

39. Apache HTTP Server

The Apache HTTP Server provides very comprehensive and flexible logging capabilities. A brief overview is provided in the following sections; see the Log Files section of the Apache HTTP Server Documentation for more detailed information about configuring logging.

39.1. Error Log

Apache error logging is controlled by the ErrorLog, ErrorLogFormat, and LogLevel directives. The error log can be parsed by NXLog with a regular expression.

Example 193. Using the Apache Error Log

The following directives enable error logging of all messages at or above the "informational" severity level, in the specified format, to the specified file. The ErrorLogFormat defined below is equivalent to the default (which includes the timestamp, the module producing the message, the event severity, the process ID, the thread ID, the client address, and the detailed error message).

LogLevel info
ErrorLogFormat "[%{u}t] [%-m:%l] [pid %P:tid %T] [client %a] %M"
ErrorLog /var/log/apache2/error.log

Following is a typical log message generated by the Apache HTTP Server, an NXLog configuration for parsing it, and the resulting JSON.

Log Sample
[Tue Aug 01 07:17:44.496832 2017] [core:info] [pid 15019:tid 140080326108928] [client] AH00128: File does not exist: /var/www/html/notafile.html
nxlog.conf [Download file]
<Input apache_error>
    Module  im_file
    File    '/var/log/apache2/error.log'
        if $raw_event =~ /(?x)^\[\S+\ ([^\]]+)\]\ \[(\S+):(\S+)\]\ \[pid\ (\d+):
                          tid\ (\d+)\]\ (\[client\ (\S+)\]\ )?(.+)$/
            $EventTime = parsedate($1);
            $ApacheModule = $2;
            $ApacheLogLevel = $3;
            $ApachePID = $4;
            $ApacheTID = $5;
            if $7 != '' $ClientAddress = $7;
            $Message = $8;
Output Sample
  "EventReceivedTime": "2017-08-01T07:17:45.641190+02:00",
  "SourceModuleName": "apache_error",
  "SourceModuleType": "im_file",
  "EventTime": "2017-08-01T07:17:44.496832+02:00",
  "ApacheModule": "core",
  "ApacheLogLevel": "info",
  "ApachePID": "15019",
  "ApacheTID": "140080317716224",
  "ClientAddress": "",
  "Message": "AH00128: File does not exist: /var/www/html/notafile.html"

39.2. Access Log

The access log file and format are configured with the LogFormat and CustomLog directives. The LogFormat directive is used to define a format, while the CustomLog directive configures logging to a specified file in one of the defined formats. Multiple CustomLog directives can be used to enable logging to multiple files.

There are several options for handling logging when using virtual hosts. The examples below, when specified in the main server context (not in a <VirtualHost> section), will log all requests exactly as with a single-host server. The %v format string can be added, if desired, to log the name of the virtual server responding to the request. Alternatively, the CustomLog directive can be specified inside a <VirtualHost> section, and in this case only the requests served by that virtual server will be logged to the file.

Pre-defined format strings for the Common Log and Combined Log Formats may be included by default. These pre-defined formats may use %O (the total sent including headers) instead of the standard %b (the size of the requested file) in order to allow detection of partial requests.
Example 194. Using the Common Log Format for the Access Log

The LogFormat directive below creates a format named common that corresponds to the Common Log Format. The second directive configures the Apache HTTP Server to write entries to the access_log file in the common format.

LogFormat "%h %l %u %t \"%r\" %>s %b" common
CustomLog /var/log/apache2/access_log common
Example 195. Using the Combined Log Format for the Access Log

The following directives will configure the Apache HTTP Server to write entries to the access_log file in the Combined Log Format.

LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" combined
CustomLog /var/log/apache2/access_log combined

NXLog configuration examples for parsing these access log formats can be found in the Common & Combined Log Formats section.