<Valve
className="org.apache.catalina.valves.AccessLogValve"
directory="${catalina.base}/logs"
prefix="access_log"
fileDateFormat="yyyy-MM-dd.HH"
suffix=".log"
pattern="%t %H cookie:%{SESSIONID}c request:%{SESSIONID}r %m %U %s %q %r"
/>
But it is not working for me..No logs are being created. I want all the info of client including access time,IP, host,proxy IP,hostname.
For time,IP, host,proxy IP,hostname - Check link for reference. Use Following
<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
prefix="localhost_access_log." suffix=".txt"
pattern="%h %l %u %t "%r" %s %b" />
logs are not created because of directory="${catalina.base}/logs". Directory description is
Absolute or relative pathname of a directory in which log files created by this valve will be placed. If a relative path is specified, it is interpreted as relative to $CATALINA_BASE. If no directory attribute is specified, the default value is "logs" (relative to $CATALINA_BASE).
You must specify only directory="logs".
Related
I am trying to log website visitor application in tomcat logs
I have tried adding below lines of code in server.xml
<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" prefix="localhost_access_log" suffix=".txt" pattern="%{X-Forwarded-For}i %h %F %l %u %t "%r" %s %b"/>
I am getting the below output in the tomcat log.
192.168.1.149 15 - - [24/Jul/2020:16:24:16 +0200] "GET /geonetwork/srv/eng/shib.user.login.noforward HTTP/1.0" 200 50
I need to get remote IP of one who is accessing the application
There are 2 scenario, your tomcat is not behind any load balancer or proxy or behind one. If your tomcat is not behind proxy or load balancer, it's already correct. For more precaution, maybe add %a so it can grab the remote ip address as stated in Access_Log_Valve
<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" prefix="localhost_access_log" suffix=".txt" pattern="%{X-Forwarded-For}i %h %F %l %u %t "%r" %s %b" />
To
<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" prefix="localhost_access_log" suffix=".txt" pattern="%{X-Forwarded-For}i %a %h %F %l %u %t "%r" %s %b" />
If you want to use %h for Remote host name, please set enableLookups="true" at connector
<!-- Define a non-SSL HTTP/1.1 Connector on port 8180 -->
<Connector port="8080"
....
enableLookups="true"
....
/>
But in any case that the tomcat is behind proxy or load balancer, add more configuration like this:
<Valve className="org.apache.catalina.valves.RemoteIpValve" />
<Valve className="org.apache.catalina.valves.AccessLogValve" ....
The proxy default ip addresses that used by RemoteIpValve:
127.0.0.0/8
169.254.0.0/16
10.0.0.0/8
192.168.0.0/16
And maybe if your proxy is not listed here, add internalproxies configuration to catch the proxy:
<Valve className="org.apache.catalina.valves.RemoteIpValve"
internalProxies="172.16.0.10|172.16.0.11" />
My system is running as architecture below
clients -> physical LB -> httpd reverse proxy (multiple servers) -> tomcat (multiple servers)
my question is how I could log the IP of the proxy server that the request goes through into the tomcat access log?
here is my tomcat server.xml config
<Valve className="org.apache.catalina.valves.RemoteIpValve"
remoteIpHeader="x-forwarded-for"
proxiesHeader="x-forwarded-by"
protocolHeader="x-forwarded-proto"
/>
<Valve className="org.apache.catalina.valves.AccessLogValve"
requestAttributesEnabled="true"
directory="${LOG_DIR}/tomcat"
prefix="access."
suffix=".log"
pattern="%h %{org.apache.tomcat.remoteAddr}r %{X-Forwarded-For}i %A %{Host}i %u %t "%r" %s %b "%{Referer}i" "%{User-Agent}i" %I %D "%S" "%{COOKIE}i""
resolveHosts="false"
fileDateFormat="yyyy-MM-dd"
rotatable="true"
/>
I am attempting to perform some data analysis on a set of Apache access logs that were passed on to me, but I noticed these logs do not seem to be in a conventional format (based on a few other Apache log examples I found online). Following is one row extracted from one of my log files (after some anonymization):
2013-08-25 10:06:11 EDT - "GET http://www.siteaddress.com/section/aaa/z/directory HTTP/1.1" 404 1677 1.2.181.171 "-" "Mozilla/4.0 (compatible; MSIE 4.01; Windows 98)" - 0 155311 -
Is there any way I can find out what format is being used to record these logs? That is, how would I go about getting some sort of a header for this file? Ps.: I have access to the server that is capturing these logs and could use it to find that information out.
Edit 1: I was told to check the content of /etc/apache2/httpd.conf, which I found to be empty.
Edit 2: The following relevant piece was found within apache2.conf but I'm not quite sure these match what I'm seeing in the logs.
# The following directives define some format nicknames for use with
# a CustomLog directive (see below).
# If you are behind a reverse proxy, you might want to change %h into %{X-Forwarded-For}i
LogFormat "%v:%p %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent
Edit 3: Found this within /etc/apache2/sites-available/hub and it seems to match my format (Thanks a lot!)
LogFormat "%{%Y-%m-%d %H:%M:%S %Z}t %u \"%r\" %>s %B %a \"%{Referer}i\" \"%{User-Agent}i\" - %T %D -"
In debian based distros, the config is split into multiple files. Main configuration is /etc/apache2/apache2.conf, while all vHosts (that are used by default) are configured in /etc/apache2/sites-available (they might not be active though, when activating virtual hosts using a2ensite a symlink in /etc/apache2/sites-enabled/ is created, from where the files get included)
If you have never messed with the config, the log format should either be set in
/etc/apache2/sites-available/default inside the VirtualHost container ot in apache2.conf
You can find the format specification in one of the Apache configuration files; depending on your server configuration, that may be the primary config file (/etc/apache2/apache2.conf, probably; that's the default on Debian and its derivates, while /etc/httpd/httpd.conf is common among the Rat Head family), or in the configuration file for the virtual host whose logs you're looking at (/etc/apache2/sites-enabled/* for Debian and company, God only knows where for Rat Head).
The configuration directive you're after will be either LogFormat, which aliases a format string to a short name, or CustomLog, which uses either a format string, or a short name defined earlier in a LogFormat directive, to specify an actual logging format.
The format string syntax is detailed in the Apache documentation.
To save you some time, from eyeballing the sample line and having had considerable experience of Apache logs, most of the format appears to be:
<datetime> - "<request method> <url> <HTTP version>" <response status> <response length> <client address> "<request Referer: header value?>" "<request User-Agent: header value>" - ?? <response duration in microseconds?> - <newline>
I don't know offhand what the parts involving question marks are, but the rest seem pretty obvious.
I am trying to define a new LogFormat by re-using an already existing LogFormat nickname.
Let's consider the following snipped (from the "Log files" section of the httpd documentation):
SetEnv CACHE_MISS 1
LogFormat "%h %l %u %t \"%r\" %>s %b %{CACHE_MISS}e" common-cache
CustomLog logs/access_log common-cache
I would like to know if there is a way to define the common-cache log format by re-using the common log format instead of hard coding %h %l %u %t \"%r\" %>s %b
I am asking this because I want to define a base log format in the core httpd.conf file and then define a customized log format, based on the base log format, in each of my virtual host config files
Note that I do not need a nickname for the customized log format, which means that a solution of one of the following forms will be sufficient:
## form 1
LogFormat *my customized format*
TransferLog logs/access_log
##form 2
CustomLog logs/access_log *my customized format*
Thanks for your inputs
Use a piped log to achieve this:
CustomLog "|| customizer.sh logs/access_log 86400" foo_format
The second argument specifies what will be written to the log file. It can specify either a nickname defined by a previous LogFormat directive, or it can be an explicit format string as described in the log formats section.
In my apache webserver log files directory ; I can see only two files : error.log and other_vhosts_access.log . Whenever anyone access the website; for every access request only one word vhost_combined is printed in other_vhosts_access.log.
Hence other_vhosts_access.log is filled with only one word vhost_combined !
Any idea what could be going wrong !
You need to add a line such as:
LogFormat "%v %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined
somewhere in your httpd.conf file before the first VirtualHost entry.
What is happening is that you are attempting to use a format named "vhost_combined" in your CustomLog directive, but a format by that name is not defined, which results in it being interpreted as a format string, which does not contain any formatting (%x) specification, so it is printed just as a string.
By adding the above-described LogFormat line, you are defining the format you want.