web.apache

The tags beginning with web.apache identify log events generated by the Apache Web Server.

Tag structure

The full tag must have six levels. The first two are fixed as web.apache. The third level identifies the log type/format and currently must be one of access-clf, access-combined, access-lt, access-lt-xff, access-vhc, or error.

The fourth, fifth and sixth levels are required and should identify the environment type, web application, and Apache instance respectively. 

• environment - Describes the environment in when the event occurred. For example, development, testing, or production.

• web application - The name of the web application.

• clon - This is the Apache instance that caused the event. Depending on your network, this can be a machine name or the virtual name of an Apache process.

The values of these levels should be guided by the structure we propose because they will be saved in the events when saved in Devo. When you open the resulting data table, these will appear in the environment, site and clon columns.

Therefore, the valid tags are the following (remember that the tag must have six levels, and the last three are free):

• web.apache.access-clf.env.app.clon

• web.apache.access-combined.env.app.clon

• web.apache.access-lt.env.app.clon

• web.apache.access-lt-xff.env.app.clon

• web.apache.access-vhc.env.app.clon

• web.apache.error.env.app.clon

A complete valid tag example would be: web.apache.access-clf.testing.myapp.mymachine

For more information, read more about Devo tags.

Devo supports five formats for access log events; three of the standard formats (clf, combined, and vhc) and two custom formats defined by Devo (lt and ltXff). These correspond to the third level of the tag.

The format for log events is determined by the LogFormat directive. See below the expressions for each of the supported formats:

• access-clf for the Common Log Format (CLF) format. The directive to define this (default) format is:

  CLF

  LogFormat "%h %l %u %t \"%r\" %>s %O" common

• access-combined for the NCSA extended/combined Log Format format. The directive to define this format is: 

  Combined

  LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined

• access-vhc for the NCSA extended/combined log format with virtual host format. The directive to define this format is:

  Virtual Host Combined

  LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined

• access-lt for the Devo-defined format that adds more details to the standard formats listed above. The directive to define this format is:

  Devo Access

  Where "%{c1}C:%{c2}C:...:$cN}C" is the name of the cookies you want to be reflected in the log. If you don't want to save any cookie just leave the field empty ("")

• access-lt-xff, same as access-lt format, but oriented to web servers that are behind a balancer or reverse proxy and where the client source IP is from the X-Forwarded-For header. The directive to define this format is:

  Devo Access X-Forwarded-For

Sending to Devo using rsyslog

We recommend using a rsyslog configuration file to monitor and forward the Apache error and access logs. For guidance, see the articles about file monitoring and sending using rsyslog.

To located your Apache log files, look for the ErrorLog and CustomLog directives in your Apache log configuration file. 

Sending to Devo using logger

The ErrorLog and CustomLog directives can also write events to an external process like a logger. 

This is how you would express these directives to write events to the logger:

Forwarding to local syslog

Related articles

• Sending data to Devo