Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 4 Next »

The tags beginning with web.tomcat identify log events generated by the Apache Tomcat web application server and the access logs of the applications the server hosts. 

This article describes the tag naming structure, a little about the main types of Tomcat server logs, and how to send log events from the Tomcat server to Devo.

Tag structure

The full tag must have at least six levels. The first two are fixed as web.tomcat. The third level identifies the log type/format and currently must be one of access-clfaccess-combinedaccess-lt, app, app-lt, catalina, catalina-lt, gc or out.

The fourth, fifth and sixth levels are required and should identify the environment type, web application, and instance respectively. 

  • environment - Describes the environment in when the event occurred. For example, development, testing, or production.

  • web application - The name of the web application.

  • clon - This is the instance that generated the event. Depending on your network, this can be a machine name, or the virtual name of a Tomcat process.

The values of these levels should be guided by the structure we propose because they will be saved in the events when saved in Devo. When you open the resulting data table, these will appear in the environment, site and clon columns.

Technology

Brand

Log type/format

Environment

Web application

Clon

web

tomcat

  • access-clf

  • access-combined

  • access-lt

  • app

  • app-lt

  • catalina

  • catalina-lt

  • gc

  • out

free but required


free but required

free but required

Therefore, the valid tags include:

  • web.tomcat.access-clf.env.app.clon

  • web.tomcat.access-combined.env.app.clon

  • web.tomcat.access-lt.env.app.clon

  • web.tomcat.app.env.app.clon

  • web.tomcat.app-lt.env.app.clon

  • web.tomcat.catalina.env.app.clon

  • web.tomcat.catalina-lt.env.app.clon

  • web.tomcat.gc.env.app.clon

  • web.tomcat.out.env.app.clon

For more information, read more about Devo tags.

Logging in Tomcat

Tomcat uses Apache Common Logging to generate the log events. The log messages that arrive through ServletContex log methods are also routed to this log library and associated to the following category:

org.apache.catalina.core.ContainerBase.[engine].[host].[context]

  • Usually, the engine is Catalina and the host is localhost.

  • The context name it is used as context, but there are some exceptions. For example, an application whose context path is /cava would have the category org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/cava] associated.

In Tomcat default distribution, Apache Common Logging is associated to the JUL framework (java.util.logging). Hence, all events, including the ones generated by ServletContext are managed by JUL.

Tomcat configures JUL with the file specified in the LOGGING_CONFIG environment variable. In case it is missing, the installation file CATALINA_BASE/conf/logging.properties is used.

catalina.yyyy-MM-dd.log

This log contains the messages generated by Tomcat, usually associated with the server and applications life cycle. Tags starting with web.tomcat.catalina should be associated with events from this log file.

The definition is found in CATALINA_BASE/ conf/logging.properties. The logs coming from the container are configured to be stored in this file. This is done with the help of a handler built to write in catalina.yyy-MM-dd.log and associated with the root logger.

1catalina.org.apache.juli.FileHandler.level = FINE
1catalina.org.apache.juli.FileHandler.directory = ${catalina.base}/logs
1catalina.org.apache.juli.FileHandler.prefix = catalina.
  
.handlers = 1catalina.org.apache.juli.FileHandler

localhost.yyyy-MM-dd.log

This log contains the messages written by the applications with JUL (java.util.logging). Tags starting with web.tomcat.app should be associated with events from this log file.

The definition is found in CATALINA_BASE/ conf/logging.properties . The logs coming from the applications are configured to be stored in this file. This is done with the help of a handler built to write in localhost.yyy-MM-dd.log and associated with ServletContext log.

2localhost.org.apache.juli.FileHandler.level = FINE
2localhost.org.apache.juli.FileHandler.directory = ${catalina.base}/logs
2localhost.org.apache.juli.FileHandler.prefix = localhost.
  
org.apache.catalina.core.ContainerBase.[Catalina].[localhost].handlers = 2localhost.org.apache.juli.FileHandler

catalina.out

This log contains the information sent by the applications to stdout and stderr. It is generated by redirecting to this files standard and error output at operating system level. Since Tomcat is not directly responsible of its creation, it doesn't rotate. Tags starting with web.tomcat.out should be associated with events from this log file.

Access log (localhost_access_log.yyyy-MM-dd.log)

This file contains an access log similar to web server logs. In the log, there is an event for each petition processed by the server. You can control the event content (format and fields) in detail.

The access log is configured as a Tomcat Valve. The definition is found in CATALINA_BASE/conf/server.xml. 

<Valve className="org.apache.catalina.valves.AccessLogValve"
    directory="logs"
    prefix="localhost_access_log." suffix=".txt"
    pattern="%h %l %u %t &quot;%r&quot; %s %b" />

Devo supports three formats for access logs; two of them are based upon standard formats and the other is defined by Devo to offer a format that contains more details. Each of these formats corresponds with the third level of an access log tag.

The log format that corresponds to the web.tomcat.access-clf tag is based on the Common Log Format (CLF). The specification of this format is:

pattern="%h %l %u %t &quot;%r&quot; %s %b"
pattern="common"

The log format that corresponds to the web.tomcat.access-combined tag is based on the NCSA Combined log format. The specification of this format is:

pattern="%h %l %u %t &quot;%r&quot; %s %b &quot;%{Referer}i&quot; &quot;%{User-Agent}i&quot;"
pattern="combined"

The log format that corresponds to the web.tomcat.access-lt tag is a custom format defined by Devo to offer more detailed logging. The specification of this format that includes cookie names is:

pattern="%t %a %l %u %S %v:%p %m &quot;%U%q&quot; %H &quot;%{Referer}i&quot; &quot;%{User-Agent}i&quot; &quot;%{cookieName1}c:%{cookieName2}c&quot; %s %D %B %I"

 However, if you prefer not to include cookie names in your events, use this specification instead. 

pattern="%t %a %l %u %S %v:%p %m &quot;%U%q&quot; %H &quot;%{Referer}i&quot; &quot;%{User-Agent}i&quot; &quot;&quot; %s %D %B %I"

Sending to Devo using file monitoring

UNIX environments

The standard method is to configure Tomcat to write the logs to file and rely on another tool (like rsyslog or syslog-ng) to send the events.

Since rsyslog cannot read dynamic files and the Tomcat log files are rotated daily, you need to turn log rotation off. This means the log files will have static names that rsyslog can reference. To disable rotation, set the rotatable attribute to false in the files where these logs are configured.

For localhost-yyyy-MM-dd.log and catalina-yyyy-MM-dd.log you have to modify CATALINA_BASE/conf/logging.properties:

Disabling log rotation for catalina and localhost logs
1catalina.org.apache.juli.FileHandler.level = FINE 
1catalina.org.apache.juli.FileHandler.directory = ${catalina.base}/logs 
1catalina.org.apache.juli.FileHandler.prefix = catalina 
1catalina.org.apache.juli.FileHandler.rotatable = false 


2localhost.org.apache.juli.FileHandler.level = FINE 
2localhost.org.apache.juli.FileHandler.directory = ${catalina.base}/logs 
2localhost.org.apache.juli.FileHandler.prefix = localhost 
2localhost.org.apache.juli.FileHandler.rotatable = false


For the access log you have to modify CATALINA_BASE/conf/server.xml:

Disabling log rotation for access log
<Valve className="org.apache.catalina.valves.AccessLogValve"
    directory="logs"
    prefix="localhost_access_log" suffix=".txt"
    pattern="%h %l %u %t &quot;%r&quot; %s %b"
    rotatable="false" />


Note that the prefixes do not end with a dot. Since the date will no longer be appended to the file name daily, it's not necessary to include a separator after the final character of the prefix.

Here we offer a sample rsyslog configuration file that is set up to monitor the catalina.log, catalina.out, localhost.log, and localhost_access_log.txt files, and forward them to a Devo Relay.

/etc/rsyslog.d/45-tomcat.conf (sample)
$template tomcat,"<%PRI%>%timegenerated% %HOSTNAME% %syslogtag% %msg%"
  
# File catalina.log
$InputFileName CATALINA_BASE/logs/catalina.log
$InputFileTag web.tomcat.catalina.ENV.APP.CLON:
$InputFileStateFile stat-Tomcat-catalina
$InputFileSeverity info
$InputFileFacility local7
$InputFilePollInterval 1
$InputFilePersistStateInterval 1
$InputRunFileMonitor
  
# File localhost.log
$InputFileName CATALINA_BASE/logs/localhost.log
$InputFileTag web.tomcat.app.ENV.APP.CLON:
$InputFileStateFile stat-Tomcat-localhost
$InputFileSeverity info
$InputFileFacility local7
$InputFilePollInterval 1
$InputFilePersistStateInterval 1
$InputRunFileMonitor
  
# File catalina.out
$InputFileName CATALINA_BASE/logs/catalina.out
$InputFileTag web.tomcat.out.ENV.APP.CLON:
$InputFileStateFile stat-Tomcat-out
$InputFileSeverity info
$InputFileFacility local7
$InputFilePollInterval 1
$InputFilePersistStateInterval 1
$InputRunFileMonitor
  
# File access log
$InputFileName CATALINA_BASE/logs/localhost_access_log.txt
$InputFileTag web.tomcat.access-clf.ENV.APP.CLON:
$InputFileStateFile stat-Tomcat-accessClf
$InputFileSeverity info
$InputFileFacility local7
$InputFilePollInterval 1
$InputFilePersistStateInterval 1
$InputRunFileMonitor
  
# SSL config for Devo secure relay
#$DefaultNetstreamDriver gtls # use gtls netstream driver
#$DefaultNetstreamDriverCAFile /etc/rsyslog.d/ca.crt
#$DefaultNetstreamDriverCertFile /etc/rsyslog.d/user.crt
#$DefaultNetstreamDriverKeyFile /etc/rsyslog.d/user.key
#$ActionSendStreamDriverMode 1 # require TLS for the connection
#$ActionSendStreamDriverAuthMode x509/name
#$ActionSendStreamDriverPermittedPeer collector
  
if $syslogtag contains 'web.tomcat.' and $syslogfacility-text == 'local7' then @@LOGTRUST-RELAY:PORT;tomcat
:syslogtag, contains, "web.tomcat." ~

You should personalize the rsyslog configuration file as follows:

  • Replace CATALINA_BASE by the absolute path where Tomcat logs reside.

  • Replace ENV.APP.CLON with the values that represent the source environment, application, and instance.

  • In this example, the access log uses the access-clf tag. You should specify the tag that corresponds to the format you have elected to use.

  • Replace DEVO-RELAY and PORT with the IP address and port of your Devo Relay. 

You can uncomment the SSL section of the file to send the events directly to the Devo Cloud. In this case, you should replace DEVO-RELAY and PORT with the hostname of your Devo domain and port 443. 

Make sure that the file you are sending and the directory where resides can be read by the user running rsyslog. If not, you should assign the necessary permissions by changing the file group to syslog.

To configure file rotation, you can use the logrotate utilityThe following in an example of a tomcat.conf might be set up.

/etc/logrotate.d/tomcat
CATALINA_BASE/logs/catalina.out
CATALINA_BASE/logs/catalina.log
CATALINA_BASE/logs/localhost.log
CATALINA_BASE/logs/localhost_access_log.txt
{
    rotate 14
    daily
    copytruncate
    missingok
    notifempty
    delaycompress
    compress
    sharedscripts
    lastaction
        service rsyslog stop
        rm -f /var/spool/rsyslog/stat-Tomcat-{catalina,localhost,out,accessClf}
        service rsyslog start
    endscript
}

When you have made all the configuration changes necessary, don't forget to restart the rsyslog process:

/etc/init.d/rsyslog restart

Windows environments

When running Tomcat on Windows, Devo recommends using the MagicLog component of the 2021-06-15_09-43-16_Devo Agent for Windows to forward the log events to Devo. You can also use the third-party tool, Snare Epilog

In both cases:

  • Make sure the logs are written in text files.

  • Have the complete paths to the log files on hand when setting up the sending.

  • No labels