# Apache Server Log Management and Analysis

Gain Deep Insights into your Apache HTTPD Access Logs and Error Logs

### Topic Filter

Done

Apache is an easy-to-use, lightweight, open-source HTTP web server that supports 50% of active sites.

As Apache performs its functions, it writes into a designated log directory to provide feedback about the activity and performance of the server. This feedback is crucial to the health of your web server.

However, in an environment with many running Apache servers, it can be difficult to catch important feedback as it gets lost in a sea of log files. That’s why Sumo Logic has created a tool to take in Apache logs and provide helpful insights about the web server via easy-to-understand visual dashboards. And it’s all powered by our cloud-native log management service.

## Apache Access and Error Log Types

Apache writes out two main types of logs: Apache access logs and Apache error logs. Both log types contain valuable information about how customers interact with your websites and web applications, as well as what errors and issues occur within your application environments. They also provide detailed information such as visitor behavior, referrers, accessed/requested content, and status codes. Finally, they offer the kind of information required for troubleshooting errors and other issues within your application environments.

## Why Analyze Apache Logs?

Apache access and error logs contain a wealth of actionable insights about potential server configuration and web application issues that can help you decide how to optimize your websites and web applications. You can use the information stored in Apache logs to determine the root cause of failures, trace customer session activity, distinguish good bots from bad ones, and identify performance bottlenecks within your application environment.

Unfortunately, making sense of your Apache logs can be a challenge.

Apache log events are fairly easy to read because they’re well-structured and aren’t lengthy. However, “easy to read” and “easy to understand” are two completely different things. For someone unfamiliar with web server logs, understanding what each space-delimited value actually represents can be confusing, especially because none of the values displayed in the message includes a descriptor. The first step to making sense of your Apache data, then, is being able to parse these messages.

Things become even more difficult when you add servers to your infrastructure. The noise and number of messages and transactions made between users, other systems, and your application web server will grow over time as your apps and services grow in popularity. This heightened noise can be overwhelming and make it challenging to understand what’s actually happening within your log files, leaving critical activities left unnoticed. Often, the information is hidden within millions of log message lines.

## Evaluating an Apache Log Analysis Tool

It goes without saying: Since your Apache web server is so central to your application, your Apache web logs are full of essential information for understanding the performance of your application.

An Apache log analysis tool relies on five key types of data:

1. Page Hits: There is nothing more essential than understanding how many people visit your application. You can count the number of page hits by user, URL, IP, and even geographic location.
2. Bytes Delivered: Apache logs should also tell you how many bytes were delivered with each page hit. This allows you to understand where your traffic is going — to whom and to where.
3. Response Time: These logs also will tell you how long each page took to deliver. This can tell you if certain pages are slower than others, certain geographic locations are slower, and more.
4. HTTP Errors: One of the most important metrics in your logs is how many page hits are successful (200), try to access content that doesn’t exist (404), and experience application failures (500). Usually, 404 and 500 errors forewarn more serious errors under the surface, and they are essential to understanding application performance.
5. Web Server: Depending on how your application is built, web logs usually will tell you which web server is delivering the content. This is essentially to understanding whether your application traffic is being properly distributed.

When choosing analytics software for your Apache stack, keep this base set of requirements in mind:

• Elastic scalability
• Transaction analytics
• Correlation across the entire application stack
• Pre-built Apache-specific dashboards, searches and alerts

With that in mind, here are five key questions to ask when choosing an Apache Log Analysis tool:

1. How quickly can you set it up? Your time is valuable. Don’t waste it on setting up complicated tools. You should be able to set up in a matter of hours with pre-built parsing, queries and dashboards to drive quick time-to-value.
2. Does it understand your Apache logs? You have a deep understanding of Apache Web Server; however, you may not be familiar with the structure and information contained in your log files. Apache log analysis tools should be able to parse and ingest your log files with minimal intervention on your part.
3. How will you visualize the data? To uncover the insights in the data, visualization is critical. Apache log analysis tools should help you identify trends and provide service-level visibility to management.
4. Can you dive into the data? Visualizations help you gain an overview of the situation. They are complemented by the ability to query large volumes of data quickly to understand where the problem lies so that you can troubleshoot more effectively. Outlier detection can help you quickly identify deviations, and if done right, they can minimize false alarms. Predictive analysis can provide an early warning system to potential problems such as security threats.
5. How is the tool delivered? SaaS-based tools that are built for the cloud can help you get value more quickly because there is no need to set up supporting infrastructure. There is minimal ongoing maintenance on your side and you have immediate access to updates. Most importantly for Apache log analysis tools, you will need to support fluctuating volumes of log data. A SaaS service can support this elastic requirement without over-provisioning and its associated costs.

## Solutions for High Volume and High Complexity

To find issues that may require closer attention, explore the capabilities of a SaaS analytics service like Sumo Logic, which uncovers insights that are easily overlooked by the human eye and difficult to find via basic logging.

Using an Apache log parser, Sumo Logic extracts the only values that are of interest, such as:

• Pageviews
• User names
• Geographic location of users
• 404 and 500 errors

This makes it possible to aggregate, visualize, and analyze the data, which Sumo Logic facilitates through prebuilt searches and dashboards for real-time and historical access. The robust capabilities within Sumo Logic make it possible to:

• Centralize your logs for aggregation and correlation activities
• Search across and analyze all logs in your infrastructure stack with robust search and advanced analytics capabilities
• Monitor and detect trends in system events, user activity and more
• Visualize trends and detect anomalies and patterns
• Alert key stakeholders of critical or abnormal system activity or user behavior

Sumo Logic allows you to analyze system-critical errors, status code errors, and multiple servers so you can optimize the performance of your web applications. Optimizing experiences and defining future requirements based on usage and geo-location trends becomes easy with a cloud-native tool like Sumo Logic.

### Custom Analytics Dashboards

Sumo Logic offers highly-customizable dashboards that let you:

• Slice and dice the logs to provide meaningful insights of how the Apache web server is performing.
• Allow developers and operations teams to proactively encounter any issues without losing sleep.
• Find patterns to isolate and troubleshoot issues.

## Analyzing Apache Access Logs with Sumo Logic

Apache access logs provide vital information about the requests the web server is serving out. These logs are crucial to understand the types of request coming in, based on IP address, referrer, user agent (browser/operating system/device), request path, date/time, etc.

The access logs can be configured to write log data in various formats, such as common log format, combined log format, multiple access logs, and conditional formatting. To learn more about the various access log formats, visit Apache Logs at Apache Project – Log Files.

With Sumo Logic, it’s never been easier to monitor your Apache configuration in real-time and deliver a flawless user experience using your Apache web server. Sumo Logic’s built-in Apache App can:

With Sumo Logic, it’s never been easier to monitor your Apache configuration in real-time and deliver a flawless user experience using your Apache web server. Sumo Logic’s built-in Apache App can:

• Ingest access logs and parse them, to provide a visual dashboard for your entire Apache server.
• Set up in seconds and connect to all the collector data sources.
• Visualize data for:
• Visitor locations
• Malicious URL requests
• Visitor access platforms
• Devices, browsers, and operating systems
• Multiple Apache servers
• Locations, media types served, top bots, top error types, and slowest URLs, among many others.

Sumo Logic has a built-in Apache access logs parser that can be applied to quickly analyze and visualize your logs without bothering to write regex to parse access logs.

• In the Search interface you can type any keyword (or * wildcard)
• Pipe the results through the Apache parser with
| parse using public/apache/access
• Finally extend queries using operators like where and sort
_sourceName=*access_log* AND _sourceCategory=*apache*
| parse using public/apache/access
| where status_code matches "4*"
| timeslice by 1d
| count by _timeslice 

### Managing Apache Access Logs with Sumo Logic

If you are looking to perform log management on your Apache Access logs to gain insight into user behavior and performance, there are two options:

• If the Collector is installed on the host machine where Apache is running (recommended), configure a series of Local File Sources to collect each of the files.
• To configure your Apache Server to log to a Syslog Source (syslog receiver), Sumo Logic recommends that you first consult your Apache documentation and read this document from OReilly Press

.

Apache does not readily log to syslog by default and the configuration may be rather complex. As such Sumo Logic recommends that you collect your Apache logs via a locally-installed Collector unless you have a strong business or technical reason not to do so.

## Analyzing Apache Error Logs with Sumo Logic

Apache error logs provide detailed operational data about the Apache web server, like start and stop of server, diagnostic information on issues with processing certain requests that are being sent over, and more. Using these logs, you can match error codes with corresponding requests.

Sumo Logic’s Apache App can:

• Ingest error logs and parse them to provide a visual dashboard to your entire Apache web server.
• Server start stop over time
• Latest start and stop, top error requests, and many others.
• Ingest log data from one or multiple Apache web servers.

Sumo Logic has a built-in Apache error logs parser that can be applied to quickly analyze and visualize your logs without bothering to write regex to parse error logs:

• In the Search interface you can type any keyword (or * wildcard) you would like to be searched
• Pipe the results through the Spache parser with
|parse using public/apache/
• Finally, extend queries using operators like where and sort.
(error OR fail*) AND exception
| parse using public/apache/error
| sort by log_level 

To learn more on analyzing Apache error logs with Sumo Logic, see our Parsing Apache Logs documentation.