How to connect Apache log to graylog2 server - apache

I'm using Graylog2 server as my application log server. But couldn't connect apache log to graylog2. Is there any guide to send apache log to graylog2 server or can someone help me to solve this ?

I put this at the bottom of my /etc/rsyslog.conf on Ubuntu 14.04
# Apache access file:
$ModLoad imfile
$InputFileName /var/log/apache2/access.log
$InputFileTag apache-access:
$InputFileStateFile stat-apache-access
$InputFileSeverity info
$InputRunFileMonitor
#Apache Error file:
$InputFileName /var/log/apache2/error.log
$InputFileTag apache-errors:
$InputFileStateFile stat-apache-error
$InputFileSeverity error
$InputRunFileMonitor
$InputFilePollInterval 10
if $programname == 'apache-access' then #10.11.11.33:514
if $programname == 'apache-errors' then #10.11.11.33:514
where 10.x.x.x is my Graylog2 server.

There will be a GELF module for Apache soon. Until that is released I can recommend using Logstash to parse and forward the Apache log files. You could even send in the log lines to "Raw/Plaintext" inputs in Graylog2 using tail and netcat.

Related

ECS logging (awslogs driver) only logging apache server startup logs to cloudwatch, no error.log & no access.log

I have the problem that my ECS logs (awslogs driver) are not working as expected. In Cloudwatch I'm only seeing the server startup logs & not the useful logs from the apache (/var/log/apache2/error.log & /var/log/apache2/access.log)
I have a docker multicontainer setup with one container running the apache server & the other container running PHP-FPM. My container logs on cloudwatch look like this:
Apache-Container:
23:35:39 *** Running /etc/my_init.d/02_init.sh...
23:35:39 Starting Apache
23:35:39 * Starting Apache httpd web server apache2
23:35:39 /usr/sbin/apache2ctl: 87: ulimit: error setting limit (Operation not permitted)
23:35:39 Setting ulimit failed. See README.Debian for more information.
23:35:40 *** Running /etc/rc.local...
23:35:40 *** Booting runit daemon...
23:35:40 *** Runit started as PID 225
23:35:40 Oct 25 22:35:40 apache-container syslog-ng[231]: syslog-ng starting up; version='3.5.6'
2019-10-26 00:17:01
Oct 25 23:17:01 apache-container CRON[947]: (root) CMD ( cd / && run-parts --report /etc/cron.hourly)
...
07:35:16 tail: '/var/log/syslog' has been replaced; following new file
...
FPM-Container:
...
10:25:23 172.x.x.x - 27/Okt/2019:09:25:23 +0000 "GET /app.php" 200
10:25:25 172.x.x.x - 27/Okt/2019:09:25:24 +0000 "GET /app.php" 200
...
I've checked various forums & online resources. As I understood it right I just need to symlink my logs to STDOUT/STDERR or even better to /proc/self/fd/1 & /proc/self/fd/2 like this:
ln -sf /dev/stdout /var/log/apache2/access.log
ln -sf /dev/stderr /var/log/apache2/error.log
I've tried to link the logs in my .Dockerfile via the RUN command & also during runtime, but no success. I see that my logs are showing up correctly in the log files before linking them. I've also tried things like echo "test stderr logs" >> /dev/stderr or echo "test stdout logs" >> /dev/stdout inside & outside the containers, but nothing showing up in the cloudwatch logs. When I try docker logs MY_DOCKER_CONTAINER_ID I get: Error response from daemon: configured logging driver does not support reading.
Maybe I'm missing some basic knowledge here. I see that syslog is in my environment/base image (maybe i need to merge syslog & apache logs?) and that the PHP-FPM-container is logging 200's but only to the app.php even though I would like to know the exact path of the accessed url.
You need to specify in your docker-compose used by ECS to use the cloudwatch logging driver like so:
version: '2'
services:
myapp:
build:
context: .
logging:
driver: awslogs
options:
awslogs-group: "/my/log/group"
awslogs-region: "us-west-2"
awslogs-stream-prefix: some-prefix
This should cause /dev/stdout and /dev/stderr to appear in CloudWatch. You can find more information on the logging driver options on the Docker page.
Hey thx for the responses. If I remember it right, the problem was, that all of my output was redirected to syslog & there was a misconfiguration in my syslog config.

How to configure apache server to allow wget with proxy?

I'm totally new to the apache httpd stuff
I setup my host ServerHost1 as a file server with httpd
# httpd -v
Server version: Apache/2.4.6 (Red Hat Enterprise Linux)
Server built: Dec 2 2014 08:09:42
I have put the file TestFile.txt under /var/www/html/TestDir/TestFile.txt
I modified part of the httpd.conf as follow
<Directory />
Order deny,allow
Allow from all
</Directory>
On a test host TestHost1 with full Internet access, I can downloaded my file with wget
TestHost1]# wget http://ServerHost1/TestDir/TestFile.txt
--2016-03-17 13:39:12-- http://ServerHost1/TestDir/TestFile.txt
Resolving ServerHost1 (ServerHost1)... <IP address>
Connecting to ServerHost1 (ServerHost1)|<IP address>|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2859976598 (2.7G) [application/octet-stream]
Saving to: ‘TestFile.txt’
2% [> ] 60,645,376 24.0MB/s
On the host sitting on a semi-isolated network TestHost2, I have to use proxy for wget to work. It works fine with google
TestHost2]# wget google.ca
--2016-03-17 13:53:26-- http://google.ca/
Resolving proxy.com (proxy.com)... <ProxyIP>
Connecting to proxy.com (proxy.com)|<ProxyIP>|:3128... connected.
Proxy request sent, awaiting response... 301 Moved Permanently
Location: http://www.google.ca/ [following]
--2016-03-17 13:53:26-- http://www.google.ca/
Reusing existing connection to proxy.com:3128.
Proxy request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: ‘index.html’
[ <=> ] 19,928 --.-K/s in 0.1s
2016-03-17 13:53:27 (159 KB/s) - ‘index.html’ saved [19928]
However when I try to get my file from ServerHost1, it gets ERROR 503: Service Unavailable
TestHost2]# wget http://ServerHost1/TestDir/TestFile.txt
--2016-03-17 13:57:13-- http://ServerHost1/TestDir/TestFile.txt
Resolving proxy.com (proxy.com)...<ProxyIP>
Connecting to proxy.com (proxy.com)|<ProxyIP>|:3128... connected.
Proxy request sent, awaiting response... 503 Service Unavailable
2016-03-17 13:57:13 ERROR 503: Service Unavailable.
So the question is
(1) Why am I seeing 503 ServiceUnavailable when the file is apparently available (since I can downloaded from testhost1)?
(2) How do I configure my httpd.conf file so that TestHost2 can wget the file from ServerHost1?
Maybe try with ProxyRequests as described in Apache docs https://httpd.apache.org/docs/2.4/mod/mod_proxy.html

Run OHS for Weblogic cluster

I am using weblogic12.1.3
I was install the WebLogic cluster in the above format :
cluster name : cs1, cluster address 172.30.35.23:7003,172.30.35.23:7004
I have 2 manageserver : 172.30.35.23:7003,172.30.35.23:7004
and a Machine MCH1(added 2 manage server to this machine)
my console address is : 172.30.35.23:7001/console
I have installe OHS on the other server : IP:172.30.35.13 port:7777
===============================================================
My configuration in OHS (mod_wl_ohs.conf) is :
LoadModule weblogic_module /u01/app/product/fmw/ohs/mosules/mod_wl_ohs.so
<IfModule weblogic_module>
<Location /console>
WLSRequest On
WebLogicHost 172.30.35.23
WeblogicPort 7001
</Location>
</IfModule>
<IfModule weblogic_module>
<Location /Hello>
WLSRequest On
WebLogicCluster 172.30.35.23:7003,172.30.35.23:7004
</Location>
</IfModule>
=============================================================
my /etc/hosts on weblogic server is :
127:0.0.1 localhost.localdomain
172.30.35.23 weblogic2 weblogic2.localdomain
my /etc/hosts on OHS server is :
127:0.0.1 localhost.localdomain
172.30.35.13 OHS OHS.localdomain
==============================================================
I deployed Hello.war to cluster
My test result :
172.30.35.23:70001/console is ok
172.30.35.13:7777/console is ok
172.30.35.23:7003/Hello is ok
172.30.35.23:7004/Hello is ok
but i dont have any answer on 172.30.35.13:7777/Hello
why ?
It means OHS is not working with cluster ?
ohs1.log is :
[oracle#OHS logs]$ cat ohs1.log
[2015-10-05T18:21:50.6939+03:30] [OHS] [ERROR:32] [OHS-9999] [mod_weblogic.c] [client_id: 172.30.35.200] [host_id: OHS] [host_addr: 172.30.35.13] [tid: 140599950821120] [user: oracle] [ecid: 0058LmbHfxLDg^wawDedMG0005rH000006] [rid: 0] [VirtualHost: main] <0058LmbHfxLDg^wawDedMG0005rH000006> weblogic: parseServerList: 172.30.35.23:7102 apr_socket_connect error [111] Connection refused
[2015-10-05T18:21:50.6971+03:30] [OHS] [ERROR:32] [OHS-9999] [mod_weblogic.c] [client_id: 172.30.35.200] [host_id: OHS] [host_addr: 172.30.35.13] [tid: 140599950821120] [user: oracle] [ecid: 0058LmbHfxLDg^wawDedMG0005rH000006] [rid: 0] [VirtualHost: main] <0058LmbHfxLDg^wawDedMG0005rH000006> weblogic: parseJVMID: could not resolve hostname '-1407311080'. Returning NULL from parseJVMID
Thanks
You need to make WebLogic Server to accept OHS request
If the version of the Oracle WebLogic Server instances in the back end is 10.3.4 (or later releases), you must set the WebLogic Plug-In Enabled parameter.
1.
Log in to the Oracle WebLogic Server administration console.
The WebLogic Proxy Plug-In provides features that are
identical to those of the plug-in for Apache HTTP Server.
2.
In the Domain Structure pane, expand the
Environment node.
– If the server instances to which you want to proxy requests from Oracle
HTTP Server are in a cluster, select Clusters.
– Otherwise, select Servers.
3.
Select the server or cluster to which you want to proxy requests from Oracle
HTTP Server.
The Configuration: General tab is displayed.
4.
Scroll down to the Advanced section, expand it, and select the
WebLogic Plug-In Enabled checkbox. Or change value from default to yes if there isn't checkbox
5.
Click Save.
6.
If you selected Servers in step 2, repeat steps 3 and 4 for the other servers to which you want to proxy requests from Oracle HTTP Servers.
For the change to take effect, you must restart the server instances.

Magento Soap Error - Premature end of data in tag definitions line 2

My client is using Unleashedsoftware.com to connect to a Magento Store. But it gives this error.
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
<SOAP-ENV:Body>
<SOAP-ENV:Fault>
<faultcode>WSDL</faultcode>
<faultstring>
SOAP-ERROR: Parsing WSDL: Couldn't load from 'http://www.domain.com/index.php/api/v2_soap/index/wsdl/1/' : Premature end of data in tag definitions line 2
</faultstring>
</SOAP-ENV:Fault>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
When browsing http://www.domain.com/index.php/api/v2_soap/index/ Firebug gives me “500 Internal Service Error”.
When I browse http://www.domain.com/index.php/api/v2_soap/index/wsdl/1/, I am getting valid XML data.
I checked the server log files and it seems like:
[Thu Aug 30 22:22:25 2012] [warn] [client 92.92.92.92] mod_fcgid: stderr: in /home/doaminuser/public_html/lib/Zend/Soap/Server.php on line 762
I been searching for couple of days now and today I tried to duplicate the entire site to another test server, and it seems to be working! So that seems to be a server issue.
Please, anybody got any idea what could be the issue?
Is there any better way of debugging this issue, any sample code or debugging tips.
Magento version is 1.6.2
Thank you.
There's lots of times where Magento's SOAP API fails due to problems your Magento server has communicating with itself.
That is, PHP's SOAP implementation requires that the SOAP server itself fetch the WSDL file via http, and a local network configuration issue gets in the way of Magento fetching it's own WSDL.
You can debug this by SSHing into your Magento server, and running the following command
curl -l 'http://www.example.com/index.php/api/v2_soap/index/wsdl/1/' > /tmp/wsdl.xml
and then examining the wsdl.xml file. Because you're performing this from your web-server, you may get different results than when you're performing it from your local browser.
I had a similar problem when calling the URL
http://www.store.com/index.php/api/v2_soap/?wsdl
After some time I received the message 500 - Internal Server Error and a Premature end of script headers message in the apache error log.
After a whole day of research I figured out, that the Timeout-Directive of the Apache module (configured in httpd.conf on a Linux environment) was set to "20" which caused the server to send the 500 error after 20 seconds. The problem is, that in my case the Magento system needs a longer time to "crawl" through all wsdl.xml files in order to build the WSDL-output (if you are using Magento SOAPv2).
Maybe you should check your Timeout Directive..hope that helps.
"I have memories of this. What worked for me was to put the hostname
in /etc/hosts on the server plus the www alias on 127.0.0.1 However,
in this instance the server was in the building rather than in some
ISP place and the LAN had Windows computers on it. Windows users had
downloaded lots of trojan-virus-porn things that were spending the
whole time spamming the network so the real problem was with the
Windows computers on the network, not with the server or with Magento.
After fdisking the PC's the problem was solved."
Thank You I've been struggling for 2 days with this on magento 1.6 and Windows Server 2008 adding this line to the hosts file (C:\Windows\System32\drivers\etc) solved the issue for me:
127.0.0.1 www.Domain.com
also remember to fix your magento soap (role) because the Roles Resources doesn't save in 1.6 unless you fix this file:
MagentoRoot\app\code\core\Mage\Adminhtml\Block\Api\Tab\Rolesedit.php
replace this:
if (array_key_exists(strtolower($item->getResource_id()), $resources) && $item->getPermission() == 'allow') {
with this:
if (array_key_exists(strtolower($item->getResource_id()), $resources) && $item->getApiPermission() == 'allow') {
In my case the issue was the Mod_Security rule "PHP Easter Egg Access" was enabled.
Rule ID: 380800
Once disabled, the api access worked.
An indicator was in the Apache log file:
Jun 19 09:15:52 httpd[1024961]: [error] [client xyz.xyz.xyz.xyz] ModSecurity: [file "/usr/local/apache/conf/modsec/99_asl_jitp.conf"] [line "116"] [id "380800"] [rev "1"] [msg "Atomicorp.com WAF Rules - Virtual Just In Time Patch: PHP Easter Egg Access"] [data "phpe9568f35-d428-11d2-a769-00aa001acf42"] [severity "CRITICAL"] Access denied with code 403 (phase 2). Pattern match "php(?:e9568f3[56]-d428-11d2-a769-00aa001acf42|b8b5f2a0-3c92-11d3-a3a9-4c7b08c10000)" at REQUEST_URI. [hostname "www.yoursever.com"]...
Magento version: 1.7.0.2
PHP version: 5.3.26
More information about the PHP Easter Egg Access rule:
http://www.atomicorp.com/forums/viewtopic.php?f=3&t=5057
http://www.0php.com/php_easter_egg.php
For those wanting a quick test script to replicate the issue (useful when trying to convince your hosting provider that it's a problem on their end), use:
<?php
$server = new SoapServer("http://<url to your magento shop>/index.php/api/v2_soap/index/wsdl/1/");
?>
This is the line in /lib/Zend/Soap/Server.php that triggers the error.
In my case if you browsed to:
http://< url to your magento shop >/index.php/api/v2_soap/index/wsdl/1/
the xml was fine, but if you ran the above php script on the server, the error was given.
This error most often appeared for me while omitting www for domain given in Magento SOAP url. Url has to match base url specified in the Magento config.

WebGate Configuration Problem

I have a instance of Oracle Access Manager set up on Server A and a copy of WebGate set up on Apache on Server B which should be working but isn't. When I try to access http(s)://hostname:port/access/oblix/apps/ webgate/bin/webgate.cgi?progid=1 as specified in the directions after everything is set up, I get a web page that says:
No Response from Application Web Server
There was no response from the application web server for the page you requested.
Please notify the site's webmaster and try your request again later.
I get the same error message when accessing other pages which are set up to be protected by WebGate with LocationMatch in Apache's httpd.conf.
Also, I'm not getting any output in webgate/access/oblix/logs/oblog.log even though webgate/access/oblix/conf/oblog_config_wg.xml has the log level set to LOGLEVEL_TRACE.
Does anyone have thoughts on what config files to check that could be causing this problem?
Edit 1: I've found that when I access a page protected by WebGate, the Apache error_log has this:
[Thu Oct 8 09:44:23 2009] [notice] child pid 4970 exit signal Segmentation fault (11)
Edit 2: Also, for some reason, pages which are to be protected by WebGate don't trigger an update to Apache's access_log, even though they do return that error message.
Ah the joy of the webgate install. Here are the usual questions I ask myself:
Does the apache user also own the directory where webgate is installed?
Are you running this on an OS and Apache version verified by Oracle?
Is your httpd.conf correctly setup with the WebGate configs?
Did you put
LD_ASSUME_KERNEL=2.4.19
export LD_ASSUME_KERNEL
in your init.d/httpd file?
Are you clocks in sync between the Access server and the apache host?
Reinstalling Webgate fixed the problem. Not sure what screwed it up.
i got
[2014-03-27T04:41:51.2101+05:30] [OHS] [NOTIFICATION:16] [OHS-9999] [core.c] [pid: 14931] [tid: 139749613860672] [user: root] [VirtualHost: main] child pid 14952 exit signal Segmentation fault (11)
along with
Directory does not exist for read/write [.../oracle/middleware/Oracle_WT1/log] []
in OHS_HOME/network/log/sqlnet.log
After changing file permission of OHS directory appropriately. This issue got resolved for me.