Where I work, we have a lot of servers to maintain, and only 2 server admins (me and my colleague). We use Nagios to keep us informed about the server status and Logwatch to analyze to server logs on a daily basis.
We have per server a lot of subdomains/vhosts and these virtual hosts all write into their own log (blog.jachim.be_acces_log, www.jachim.be_error_log, etc…).
The log entries look like this:
192.168.200.6 - - [10/Nov/2009:09:55:41 +0100] "GET /a/i/red_cube.png HTTP/1.0" 200 190 192.168.200.6 - - [10/Nov/2009:09:55:41 +0100] "GET /a/i/search/search_icon.gif HTTP/1.0" 200 428 192.168.200.6 - - [10/Nov/2009:09:55:41 +0100] "GET /index.php HTTP/1.0" 200 6541
When Logwatch merges all the httpd log files, the host information (in the log filename) is lost, resulting in Logwatch reports like this:
Requests with error response codes 401 Unauthorized /: 4 Time(s) /a/i/blue_cube.png: 1 Time(s) /favicon.ico: 2 Time(s) /wp/login: 2 Time(s) ...
We actually want reports like this:
Requests with error response codes 401 Unauthorized www.jachim.be/: 4 Time(s) jachim.be/a/i/blue_cube.png: 1 Time(s) blog.jachim.be/favicon.ico: 2 Time(s) blog.jachim.be/wp/login: 2 Time(s) ...
Now we have all the information we want and are able to fix the possible problems much easier.
Because this is not possible in Logwatch (see mailinglist), I’ve added it in the Apache logs.
I’ve added a new logformat named logwatch
in httpd.conf
:
LogFormat "%h %l %u %t \"%m %{Host}i%U%q %H\" %>s %b" logwatch
Now the new format is available and can be used in the Virtual Host:
CustomLog logs/www.jachim.be-access_log logwatch
Resources: