The tags beginning with web.tomcat identify log events generated by the Apache Tomcat web application server and the access logs of the applications the server hosts.
This article describes the tag naming structure, a little about the main types of Tomcat server logs, and how to send log events from the Tomcat server to Devo.
Tag structure
The full tag must have at least six levels. The first two are fixed as web.tomcat. The third level identifies the log type/format and currently must be one of access-clf, access-combined, access-lt, app, app-lt, catalina, catalina-lt, gc or out.
The fourth, fifth and sixth levels are required and should identify the environment type, web application, and instance respectively.
environment - Describes the environment in when the event occurred. For example, development, testing, or production.
web application - The name of the web application.
clon - This is the instance that generated the event. Depending on your network, this can be a machine name, or the virtual name of a Tomcat process.
The values of these levels should be guided by the structure we propose because they will be saved in the events when saved in Devo. When you open the resulting data table, these will appear in the environment, site and clon columns.
Technology | Brand | Log type/format | Environment | Web application | Clon |
---|---|---|---|---|---|
web | tomcat |
| free but required | free but required | free but required |
Therefore, the valid tags include:
web.tomcat.access-clf.env.app.clon
web.tomcat.access-combined.env.app.clon
web.tomcat.access-lt.env.app.clon
web.tomcat.app.env.app.clon
web.tomcat.app-lt.env.app.clon
web.tomcat.catalina.env.app.clon
web.tomcat.catalina-lt.env.app.clon
web.tomcat.gc.env.app.clon
web.tomcat.out.env.app.clon
For more information, read more about Devo tags.
Logging in Tomcat
Tomcat uses Apache Common Logging to generate the log events. The log messages that arrive through ServletContex log methods are also routed to this log library and associated to the following category:
org.apache.catalina.core.ContainerBase.[engine].[host].[context]
Usually, the engine is Catalina and the host is localhost.
The context name it is used as
context
, but there are some exceptions. For example, an application whose context path is /cava would have the category org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/cava] associated.
In Tomcat default distribution, Apache Common Logging is associated to the JUL framework (java.util.logging). Hence, all events, including the ones generated by ServletContext are managed by JUL.
Tomcat configures JUL with the file specified in the LOGGING_CONFIG environment variable. In case it is missing, the installation file CATALINA_BASE/conf/logging.properties is used.
catalina.yyyy-MM-dd.log
This log contains the messages generated by Tomcat, usually associated with the server and applications life cycle. Tags starting with web.tomcat.catalina should be associated with events from this log file.
The definition is found in CATALINA_BASE/ conf/logging.properties. The logs coming from the container are configured to be stored in this file. This is done with the help of a handler built to write in catalina.yyy-MM-dd.log
and associated with the root logger.
1catalina.org.apache.juli.FileHandler.level = FINE 1catalina.org.apache.juli.FileHandler.directory = ${catalina.base}/logs 1catalina.org.apache.juli.FileHandler.prefix = catalina. .handlers = 1catalina.org.apache.juli.FileHandler
localhost.yyyy-MM-dd.log
This log contains the messages written by the applications with JUL (java.util.logging). Tags starting with web.tomcat.app should be associated with events from this log file.
The definition is found in CATALINA_BASE/ conf/logging.properties . The logs coming from the applications are configured to be stored in this file. This is done with the help of a handler built to write in localhost.yyy-MM-dd.log
and associated with ServletContext log.
2localhost.org.apache.juli.FileHandler.level = FINE 2localhost.org.apache.juli.FileHandler.directory = ${catalina.base}/logs 2localhost.org.apache.juli.FileHandler.prefix = localhost. org.apache.catalina.core.ContainerBase.[Catalina].[localhost].handlers = 2localhost.org.apache.juli.FileHandler
catalina.out
This log contains the information sent by the applications to stdout and stderr. It is generated by redirecting to this files standard and error output at operating system level. Since Tomcat is not directly responsible of its creation, it doesn't rotate. Tags starting with web.tomcat.out should be associated with events from this log file.
Access log (localhost_access_log.yyyy-MM-dd.log)
This file contains an access log similar to web server logs. In the log, there is an event for each petition processed by the server. You can control the event content (format and fields) in detail.
The access log is configured as a Tomcat Valve. The definition is found in CATALINA_BASE/conf/server.xml.
<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" prefix="localhost_access_log." suffix=".txt" pattern="%h %l %u %t "%r" %s %b" />
Devo supports three formats for access logs; two of them are based upon standard formats and the other is defined by Devo to offer a format that contains more details. Each of these formats corresponds with the third level of an access log tag.
The log format that corresponds to the web.tomcat.access-clf tag is based on the Common Log Format (CLF). The specification of this format is:
pattern="%h %l %u %t "%r" %s %b" pattern="common"
The log format that corresponds to the web.tomcat.access-combined tag is based on the NCSA Combined log format. The specification of this format is:
pattern="%h %l %u %t "%r" %s %b "%{Referer}i" "%{User-Agent}i"" pattern="combined"
The log format that corresponds to the web.tomcat.access-lt tag is a custom format defined by Devo to offer more detailed logging. The specification of this format that includes cookie names is:
pattern="%t %a %l %u %S %v:%p %m "%U%q" %H "%{Referer}i" "%{User-Agent}i" "%{cookieName1}c:%{cookieName2}c" %s %D %B %I"
However, if you prefer not to include cookie names in your events, use this specification instead.
pattern="%t %a %l %u %S %v:%p %m "%U%q" %H "%{Referer}i" "%{User-Agent}i" "" %s %D %B %I"
Sending to Devo using file monitoring
UNIX environments
The standard method is to configure Tomcat to write the logs to file and rely on another tool (like rsyslog or syslog-ng) to send the events.
Since rsyslog cannot read dynamic files and the Tomcat log files are rotated daily, you need to turn log rotation off. This means the log files will have static names that rsyslog can reference. To disable rotation, set the rotatable attribute to false in the files where these logs are configured.
For localhost-yyyy-MM-dd.log and catalina-yyyy-MM-dd.log you have to modify CATALINA_BASE/conf/logging.properties:
Disabling log rotation for catalina and localhost logs
1catalina.org.apache.juli.FileHandler.level = FINE 1catalina.org.apache.juli.FileHandler.directory = ${catalina.base}/logs 1catalina.org.apache.juli.FileHandler.prefix = catalina 1catalina.org.apache.juli.FileHandler.rotatable = false 2localhost.org.apache.juli.FileHandler.level = FINE 2localhost.org.apache.juli.FileHandler.directory = ${catalina.base}/logs 2localhost.org.apache.juli.FileHandler.prefix = localhost 2localhost.org.apache.juli.FileHandler.rotatable = false
For the access log you have to modify CATALINA_BASE/conf/server.xml:
Disabling log rotation for access log
<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" prefix="localhost_access_log" suffix=".txt" pattern="%h %l %u %t "%r" %s %b" rotatable="false" />
Note that the prefixes do not end with a dot. Since the date will no longer be appended to the file name daily, it's not necessary to include a separator after the final character of the prefix.
Here we offer a sample rsyslog configuration file that is set up to monitor the catalina.log, catalina.out, localhost.log, and localhost_access_log.txt files, and forward them to a Devo Relay.
/etc/rsyslog.d/45-tomcat.conf (sample)
$template tomcat,"<%PRI%>%timegenerated% %HOSTNAME% %syslogtag% %msg%" # File catalina.log $InputFileName CATALINA_BASE/logs/catalina.log $InputFileTag web.tomcat.catalina.ENV.APP.CLON: $InputFileStateFile stat-Tomcat-catalina $InputFileSeverity info $InputFileFacility local7 $InputFilePollInterval 1 $InputFilePersistStateInterval 1 $InputRunFileMonitor # File localhost.log $InputFileName CATALINA_BASE/logs/localhost.log $InputFileTag web.tomcat.app.ENV.APP.CLON: $InputFileStateFile stat-Tomcat-localhost $InputFileSeverity info $InputFileFacility local7 $InputFilePollInterval 1 $InputFilePersistStateInterval 1 $InputRunFileMonitor # File catalina.out $InputFileName CATALINA_BASE/logs/catalina.out $InputFileTag web.tomcat.out.ENV.APP.CLON: $InputFileStateFile stat-Tomcat-out $InputFileSeverity info $InputFileFacility local7 $InputFilePollInterval 1 $InputFilePersistStateInterval 1 $InputRunFileMonitor # File access log $InputFileName CATALINA_BASE/logs/localhost_access_log.txt $InputFileTag web.tomcat.access-clf.ENV.APP.CLON: $InputFileStateFile stat-Tomcat-accessClf $InputFileSeverity info $InputFileFacility local7 $InputFilePollInterval 1 $InputFilePersistStateInterval 1 $InputRunFileMonitor # SSL config for Devo secure relay #$DefaultNetstreamDriver gtls # use gtls netstream driver #$DefaultNetstreamDriverCAFile /etc/rsyslog.d/ca.crt #$DefaultNetstreamDriverCertFile /etc/rsyslog.d/user.crt #$DefaultNetstreamDriverKeyFile /etc/rsyslog.d/user.key #$ActionSendStreamDriverMode 1 # require TLS for the connection #$ActionSendStreamDriverAuthMode x509/name #$ActionSendStreamDriverPermittedPeer collector if $syslogtag contains 'web.tomcat.' and $syslogfacility-text == 'local7' then @@LOGTRUST-RELAY:PORT;tomcat :syslogtag, contains, "web.tomcat." ~
You should personalize the rsyslog configuration file as follows:
Replace CATALINA_BASE by the absolute path where Tomcat logs reside.
Replace ENV.APP.CLON with the values that represent the source environment, application, and instance.
In this example, the access log uses the access-clf tag. You should specify the tag that corresponds to the format you have elected to use.
Replace DEVO-RELAY and PORT with the IP address and port of your Devo Relay.
You can uncomment the SSL section of the file to send the events directly to the Devo Cloud. In this case, you should replace DEVO-RELAY and PORT with the hostname of your Devo domain and port 443.
Make sure that the file you are sending and the directory where resides can be read by the user running rsyslog. If not, you should assign the necessary permissions by changing the file group to syslog.
To configure file rotation, you can use the logrotate utility. The following in an example of a tomcat.conf might be set up.
/etc/logrotate.d/tomcat
CATALINA_BASE/logs/catalina.out CATALINA_BASE/logs/catalina.log CATALINA_BASE/logs/localhost.log CATALINA_BASE/logs/localhost_access_log.txt { rotate 14 daily copytruncate missingok notifempty delaycompress compress sharedscripts lastaction service rsyslog stop rm -f /var/spool/rsyslog/stat-Tomcat-{catalina,localhost,out,accessClf} service rsyslog start endscript }
When you have made all the configuration changes necessary, don't forget to restart the rsyslog process:
/etc/init.d/rsyslog restart
Windows environments
When running Tomcat on Windows, Devo recommends using the MagicLog component of the 2021-06-15_09-43-16_Devo Agent for Windows to forward the log events to Devo. You can also use the third-party tool, Snare Epilog.
In both cases:
Make sure the logs are written in text files.
Have the complete paths to the log files on hand when setting up the sending.