Apache logmanagementtutorial

Learninglogconfiguration, loganalysis and best practices

查看tutoriallist

Apache logmanagement

Apacheserver logmanagement is system运维 and failure排查 important 组成部分. through合理configuration and analysisApachelog, 您可以Understandserver runstatus, user访问circumstances, errorinformation and securityevent, from 而及时发现 and 解决issues, optimizationserverperformance, improving网站security性. 本文将详细介绍Apache logmanagement, includinglogconfiguration, log格式, log轮转 and loganalysistool, helping您建立一个 has 效 logmanagementsystem.

Apachelogoverview

Apacheserver生成 many 种class型 logfile, 主要including:

  • 访问log(access log): 记录所 has for server HTTPrequest, includingrequest时间, 客户端IP, requestmethod, requestURL, responsestatus码, response big small etc.information.
  • errorlog(error log): 记录serverrun过程in errorinformation, warning and other important event.
  • otherlog: 根据configuration 不同, Apache还可能生成otherclass型 log, such asmod_securitylog, mod_ssllogetc..

log important 性

  • failure排查: througherrorlog fast 速定位 and 解决serverissues.
  • performanceanalysis: through访问loganalysisserverload and performance瓶颈.
  • securitymonitor: throughanalysislog发现潜 in security威胁 and 攻击.
  • userbehavioranalysis: Understanduser访问模式 and 偏 good .
  • compliance要求: 某些行业 and 法规要求保留一定期限 访问log.

Apachelogconfiguration

访问logconfiguration

in Apachein, 访问log configuration主要throughCustomLog指令implementation. 默认circumstances under , Apache会将访问logstore in /var/log/apache2/access.log (Ubuntu/Debian) or /var/log/httpd/access_log (CentOS/RHEL) .

# in 虚拟主机configurationin添加以 under in 容 <VirtualHost *:80> ServerName example.com DocumentRoot /var/www/html # configuration访问log CustomLog ${APACHE_LOG_DIR}/example.com-access.log combined # otherconfiguration... </VirtualHost>

errorlogconfiguration

errorlog configuration主要throughErrorLog指令implementation. 默认circumstances under , Apache会将errorlogstore in /var/log/apache2/error.log (Ubuntu/Debian) or /var/log/httpd/error_log (CentOS/RHEL) .

# in 虚拟主机configurationin添加以 under in 容 <VirtualHost *:80> ServerName example.com DocumentRoot /var/www/html # configurationerrorlog ErrorLog ${APACHE_LOG_DIR}/example.com-error.log LogLevel warn # otherconfiguration... </VirtualHost>

log级别configuration

Apache log级别throughLogLevel指令configuration, 用于控制errorlog 详细程度. 可用 log级别 from low to high 依次 for :

  • emerg: 紧急circumstances, system不可用.
  • alert: 需要立即processing issues.
  • crit: 严重error.
  • error: 一般error.
  • warn: warninginformation.
  • notice: 注意information.
  • info: 一般information.
  • debug: debuginformation.
# configurationerrorlog级别 LogLevel warn # for specificmodule设置不同 log级别 LogLevel warn ssl:info

Apachelog格式

默认log格式

Apache默认usingcombinedlog格式记录访问log, package含以 under information:

# combinedlog格式定义 LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined

各字段 含义:

  • %h: 客户端IP地址.
  • %l: 远程login名 (通常 for "-") .
  • %u: authenticationuser (通常 for "-") .
  • %t: request时间.
  • %r: 完整 request行, includingrequestmethod, URL and HTTPversion.
  • %>s: 最终 responsestatus码.
  • %b: response big small (不includingHTTP头部) .
  • %{Referer}i: Referer头部information.
  • %{User-Agent}i: User-Agent头部information.

自定义log格式

您可以根据需要定义自定义 log格式, throughLogFormat指令implementation:

# 定义自定义log格式 LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %D" custom # using自定义log格式 CustomLog ${APACHE_LOG_DIR}/access.log custom

常用 log格式variable:

  • %h: 客户端IP地址.
  • %a: 客户端IP地址 (throughproxy时) .
  • %l: 远程login名.
  • %u: authenticationuser.
  • %t: request时间.
  • %T: requestprocessing时间 (秒) .
  • %D: requestprocessing时间 (微秒) .
  • %r: 完整 request行.
  • %m: requestmethod.
  • %U: requestURLpath.
  • %q: querystring.
  • %H: HTTPversion.
  • %>s: 最终 responsestatus码.
  • %b: response big small .
  • %{VARNAME}i: request头部字段.
  • %{VARNAME}o: response头部字段.
  • %{VARNAME}e: environmentvariable.

Apachelog轮转

随着时间 推移, Apachelogfile会变得越来越 big , 占用 big 量disk空间, 并且不利于analysis. log轮转 is a将 old logfile归档并creation new logfile mechanism, 可以 has 效managementlogfile big small and 数量.

usinglogrotateforlog轮转

big many 数Linuxsystemusinglogrotatetool来managementlog轮转. Apache log轮转configuration通常位于/etc/logrotate.d/apache2 (Ubuntu/Debian) or /etc/logrotate.d/httpd (CentOS/RHEL) .

# Ubuntu/Debian默认 Apachelog轮转configuration /var/log/apache2/*.log { daily missingok rotate 14 compress delaycompress notifempty create 640 root adm sharedscripts postrotate if /etc/init.d/apache2 status > /dev/null ; then \ /etc/init.d/apache2 reload > /dev/null; \ fi; endscript prerotate if [ -d /etc/logrotate.d/httpd-prerotate ]; then \ run-parts /etc/logrotate.d/httpd-prerotate; \ fi; \ endscript }

各parameter 含义:

  • daily: 每天轮转一次.
  • missingok: such as果logfile不存 in , 继续执行而不报错.
  • rotate 14: 保留14个 old logfile.
  • compress: 压缩 old logfile.
  • delaycompress: latency压缩, 直 to under 一次轮转.
  • notifempty: such as果logfile for 空, 不for轮转.
  • create 640 root adm: creation new logfile, permission for 640, 所 has 者 for root, 所属组 for adm.
  • sharedscripts: in 所 has logfile轮转 after 执行一次脚本.
  • postrotate: 轮转 after 执行 脚本.
  • prerotate: 轮转 before 执行 脚本.

手动执行log轮转

# 手动执行Apachelog轮转 sudo logrotate /etc/logrotate.d/apache2 # 强制执行log轮转 (即使不符合轮转条件) sudo logrotate -f /etc/logrotate.d/apache2 # testlog轮转configuration sudo logrotate -d /etc/logrotate.d/apache2

Apacheloganalysistool

analysisApachelog可以helping您Understandserver runstatus, user访问模式 and 潜 in issues. 以 under is 一些常用 Apacheloganalysistool:

1. AWStats

AWStats is a functions强 big loganalysistool, 可以生成详细 HTML报告, including访问statistics, 页面浏览量, 访问来sources, userproxyetc.information.

# installationAWStats (Ubuntu/Debian) sudo apt install awstats # configurationAWStats sudo nano /etc/awstats/awstats.conf # 生成报告 sudo /usr/lib/cgi-bin/awstats.pl -config=example.com -update # 访问报告 # http://your-server/cgi-bin/awstats.pl?config=example.com

2. Webalizer

Webalizer is a fast 速, 轻量级 loganalysistool, 可以生成 simple HTML报告.

# installationWebalizer (Ubuntu/Debian) sudo apt install webalizer # 生成报告 sudo webalizer -c /etc/webalizer/webalizer.conf /var/log/apache2/access.log

3. GoAccess

GoAccess is a 实时 终端 and HTMLloganalysistool, providing交互式 界面 and 实时statistics.

# installationGoAccess (Ubuntu/Debian) sudo apt install goaccess # 生成终端报告 goaccess /var/log/apache2/access.log # 生成HTML报告 goaccess /var/log/apache2/access.log -o /var/www/html/report.html # 访问报告 # http://your-server/report.html

4. ELK Stack

ELK Stack (Elasticsearch, Logstash, Kibana) is a functions强 big logmanagement and analysis平台, 可以实时收集, store, analysis and visualizationlogdata.

# installationELK Stack (usingDocker) sudo apt install docker docker-compose # creationdocker-compose.ymlfile cat > docker-compose.yml << 'EOF' version: '3' services: elasticsearch: image: docker.elastic.co/elasticsearch/elasticsearch:7.14.0 environment: - discovery.type=single-node ports: - 9200:9200 logstash: image: docker.elastic.co/logstash/logstash:7.14.0 volumes: - ./logstash.conf:/usr/share/logstash/pipeline/logstash.conf - /var/log/apache2:/var/log/apache2 ports: - 5044:5044 kibana: image: docker.elastic.co/kibana/kibana:7.14.0 ports: - 5601:5601 EOF # creationLogstashconfigurationfile cat > logstash.conf << 'EOF' input { file { path => "/var/log/apache2/access.log" start_position => "beginning" sincedb_path => "/dev/null" } } filter { grok { match => { "message" => "%{COMBINEDAPACHELOG}" } } date { match => ["timestamp", "dd/MMM/yyyy:HH:mm:ss Z"] target => "@timestamp" } } output { elasticsearch { hosts => ["elasticsearch:9200"] index => "apache-logs-%{+YYYY.MM.dd}" } } EOF # 启动ELK Stack sudo docker-compose up -d # 访问Kibana # http://your-server:5601

Apacheloganalysistechniques

1. find访问量最 high 页面

# usingawk and sortfind访问量最 high 页面 awk '{print $7}' /var/log/apache2/access.log | sort | uniq -c | sort -nr | head -10

2. find访问量最 high IP地址

# usingawk and sortfind访问量最 high IP地址 awk '{print $1}' /var/log/apache2/access.log | sort | uniq -c | sort -nr | head -10

3. find404error

# find404error grep "404" /var/log/apache2/access.log | head -20 # statistics404error数量 grep -c "404" /var/log/apache2/access.log # find访问量最 high 404页面 grep "404" /var/log/apache2/access.log | awk '{print $7}' | sort | uniq -c | sort -nr | head -10

4. find500error

# find500error grep "500" /var/log/apache2/access.log | head -20 # 查看errorlogin 详细information grep "error" /var/log/apache2/error.log | head -20

5. analysisspecific时间范围 in log

# analysisspecific时间范围 in log (例such as2023年10月1日) grep "01/Oct/2023" /var/log/apache2/access.log | head -20 # analysisspecific时间段 in log (例such as2023年10月1日10:00-11:00) grep "01/Oct/2023:10:" /var/log/apache2/access.log | head -20

6. analysisuserproxy

# find访问量最 high userproxy grep -o '"Mozilla/[^"]*"' /var/log/apache2/access.log | sort | uniq -c | sort -nr | head -10 # find爬虫访问 grep -i "bot\|crawler\|spider" /var/log/apache2/access.log | head -20

7. analysisbandwidthusing

# 计算总bandwidthusing (以字节 for 单位) awk '{sum+=$10} END {print sum}' /var/log/apache2/access.log # 计算总bandwidthusing (以MB for 单位) awk '{sum+=$10} END {print sum/1024/1024}' /var/log/apache2/access.log # find消耗bandwidth最 many 页面 awk '{print $7, $10}' /var/log/apache2/access.log | sort -k2 -nr | head -10

Apachelogsecurity

保护logfile

  • 设置正确 filepermission: 确保logfile只 has authorizationuser可以访问.
  • encryptionstore: for 于package含敏感information log, 考虑encryptionstore.
  • 定期backup: 定期backuplogfile, 防止dataloss.
  • 限制log访问: through防火墙 or 访问控制限制 for log 访问.
# 设置logfilepermission sudo chown root:adm /var/log/apache2/*.log sudo chmod 640 /var/log/apache2/*.log # backuplogfile sudo rsync -avz /var/log/apache2/ user@backup-server:/backup/apache-logs/

log脱敏

Apachelogin可能package含敏感information, such asuserIP地址, authenticationinformationetc.. in analysis or 分享log时, 应注意 for 敏感informationfor脱敏processing:

# for IP地址for脱敏 sed 's/[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}/xxx.xxx.xxx.xxx/g' /var/log/apache2/access.log > access_log_masked.log # for userproxyin 敏感informationfor脱敏 sed 's/\(Mozilla\/[0-9]\+\.[0-9]\+\).*/\1 .../g' /var/log/apache2/access.log > access_log_masked.log

best practices

  • 合理configurationlog级别: 根据practicalrequirementsconfiguration合适 log级别, 避免log过 many or 过 few .
  • using自定义log格式: 根据analysisrequirements定义自定义 log格式, package含必要 information.
  • 启用log轮转: configuration合理 log轮转策略, 防止logfile过 big .
  • 定期analysislog: 建立定期analysislog 习惯, 及时发现 and 解决issues.
  • usingloganalysistool: 利用专业 loganalysistool, improvinganalysisefficiency and 准确性.
  • 保护logsecurity: 设置正确 filepermission, 限制 for log 访问, 定期backuplog.
  • monitorlog big small : 定期checklogfile big small , 防止disk空间不足.
  • 集成monitorsystem: 将loganalysis集成 to monitorsystemin, implementation实时告警.
  • 保留适当 log期限: 根据compliance要求 and storecapacity, 保留适当期限 log.
  • documentation化logconfiguration: 记录logconfiguration and analysismethod, 方便team membersreference.

Notes

in managementApachelog时, 应注意以 under 几点:

  • 避免 in produceenvironmentinusing过 high log级别 (such asdebug) , 以免生成过 many log.
  • 定期checklogfile big small , 防止disk空间不足.
  • for 于 high traffic网站, 考虑usingdistributedlogsystem, such asELK Stack.
  • 注意login 敏感information, such asuserIP地址, authenticationinformationetc., 避免泄露.
  • 根据法规要求, 合理设置log保留期限.

实践case: Apachelogmanagementsystem

步骤1: configurationApachelog

# 编辑虚拟主机configuration sudo nano /etc/apache2/sites-available/example.com.conf # 添加以 under in 容 <VirtualHost *:80> ServerName example.com DocumentRoot /var/www/html # configuration访问log LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %D" custom CustomLog ${APACHE_LOG_DIR}/example.com-access.log custom # configurationerrorlog ErrorLog ${APACHE_LOG_DIR}/example.com-error.log LogLevel warn # otherconfiguration... </VirtualHost> # 启用虚拟主机 sudo a2ensite example.com # 重启Apache sudo systemctl restart apache2

步骤2: configurationlog轮转

# creation自定义log轮转configuration sudo nano /etc/logrotate.d/example.com # 添加以 under in 容 /var/log/apache2/example.com-*.log { daily missingok rotate 30 compress delaycompress notifempty create 640 root adm sharedscripts postrotate if /etc/init.d/apache2 status > /dev/null ; then \ /etc/init.d/apache2 reload > /dev/null; \ fi; endscript } # testlog轮转configuration sudo logrotate -d /etc/logrotate.d/example.com

步骤3: installation and configurationGoAccess

# installationGoAccess sudo apt install goaccess # creation报告Table of Contents sudo mkdir -p /var/www/html/reports sudo chown www-data:www-data /var/www/html/reports # creation定时task, 每天生成报告 sudo crontab -e # 添加以 under in 容 0 0 * * * /usr/bin/goaccess /var/log/apache2/example.com-access.log -o /var/www/html/reports/access_report.html --log-format=COMBINED

步骤4: configurationELK Stack (可选)

# installationDocker and Docker Compose sudo apt install docker.io docker-compose # creationELK StackconfigurationTable of Contents sudo mkdir -p /opt/elk/conf sudo chown -R $USER:$USER /opt/elk # creationdocker-compose.ymlfile cat > /opt/elk/docker-compose.yml << 'EOF' version: '3' services: elasticsearch: image: docker.elastic.co/elasticsearch/elasticsearch:7.14.0 environment: - discovery.type=single-node - ES_JAVA_OPTS=-Xms1g -Xmx1g ports: - 9200:9200 volumes: - es_data:/usr/share/elasticsearch/data logstash: image: docker.elastic.co/logstash/logstash:7.14.0 volumes: - ./conf/logstash.conf:/usr/share/logstash/pipeline/logstash.conf - /var/log/apache2:/var/log/apache2 ports: - 5044:5044 kibana: image: docker.elastic.co/kibana/kibana:7.14.0 ports: - 5601:5601 volumes: es_data: EOF # creationLogstashconfigurationfile cat > /opt/elk/conf/logstash.conf << 'EOF' input { file { path => "/var/log/apache2/example.com-access.log" start_position => "beginning" sincedb_path => "/dev/null" } } filter { grok { match => { "message" => "%{COMBINEDAPACHELOG}" } } date { match => ["timestamp", "dd/MMM/yyyy:HH:mm:ss Z"] target => "@timestamp" } } output { elasticsearch { hosts => ["elasticsearch:9200"] index => "apache-logs-%{+YYYY.MM.dd}" } } EOF # 启动ELK Stack cd /opt/elk docker-compose up -d # 访问Kibana # http://your-server:5601

步骤5: 设置logmonitor

# installationlogwatch sudo apt install logwatch # configurationlogwatch sudo nano /etc/logwatch/conf/logwatch.conf # modify以 under configuration MailTo = admin@example.com Detail = High # 启动logwatch定时器 sudo systemctl enable logwatch.timer sudo systemctl start logwatch.timer # 手动runlogwatch sudo logwatch --service apache --detail High

互动练习

练习1: configuration自定义log格式

creation一个自定义 Apachelog格式, package含客户端IP, request时间, requestmethod, requestURL, responsestatus码, response big small , userproxy and requestprocessing时间. configuration虚拟主机using该自定义log格式.

练习2: configurationlog轮转

for 您 Apache虚拟主机creation一个自定义 log轮转configuration, 要求: 每天轮转一次, 保留60天 log, 压缩 old logfile, 轮转 after 重 new 加载Apacheconfiguration.

练习3: analysisApachelog

usingcommands行toolanalysisApache访问log, completion以 under task:

  • find访问量最 high before 10个页面
  • find访问量最 high before 10个IP地址
  • statistics并analysis404error
  • 计算总bandwidthusing量

练习4: installation and configurationGoAccess

installationGoAccesstool, configuration定时task每天生成Apacheloganalysis报告, 并throughWeb浏览器访问该报告.

推荐链接

on 一篇: Apache performanceoptimizationtutorial under 一篇: Apache 反向proxytutorial