LogLogic Apache Web Server Log Configuration Guide

LogLogic Apache Web Server Log Configuration Guide Document Release: September 2011 Part Number: LL60009-00ELS090001 This manual supports LogLogic Apache Web Server Release 1.0 and later, and LogLogic Software Release 5.1 and later until replaced by a new edition.

2011 LogLogic, Inc. Proprietary Information Trademarks This document contains proprietary and confidential information of LogLogic, Inc. and its licensors. In accordance with the license, this document may not be copied, disclosed, modified, transmitted, or translated except as permitted in writing by LogLogic, Inc. LogLogic and the LogLogic logo are trademarks or registered trademarks of LogLogic, Inc. in the United States and/or foreign countries. All other company or product names are trademarks or registered trademarks of their respective owners. Notice The information contained in this document is subject to change at any time without notice. All warranties with respect to the software and accompanying documentation are set our exclusively in the Software License Agreement or in the Product Purchase Agreement that covers the documentation. LogLogic, Inc. 110 Rose Orchard Way, Suite 200 San Jose, CA 95134 Tel: +1 408 215 5900 Fax: +1 408 774 1752 U.S. Toll Free: 888 347 3883 www.loglogic.com

Contents Preface About This Guide........................................................5 Technical Support........................................................5 Documentation Support.................................................... 5 Conventions............................................................. 6 Chapter 1 Configuring LogLogic s Apache Web Server Log Collection Introduction to Apache Web Server........................................... 7 Prerequisites............................................................ 7 Configuring Apache Web Server............................................. 8 Configuring httpd.conf to Enable Combined/Common Log Format................ 8 Configuring httpd.conf for Log Rotation..................................... 8 Enabling the LogLogic Appliance to Capture Log Data............................ 9 Configuring the LogLogic Appliance for File Collection......................... 9 Adding an Apache Web Server Device.................................... 10 Creating File Transfer Rules............................................ 11 Verifying the Configuration................................................ 14 Chapter 2 How LogLogic Supports Apache Web Server How LogLogic Captures Apache Web Server Log Data.......................... 15 Supported Apache Web Server Access Log Data............................... 16 LogLogic Real-Time Reports............................................... 17 LogLogic Search Filters................................................... 17 Chapter 3 Troubleshooting and FAQ Troubleshooting......................................................... 18 Problems Retrieving Log Files Using Configured File Transfer Rules............. 18 Frequently Asked Questions............................................... 19 Appendix A Event Reference LogLogic Support for Apache Web Server Events.............................. 21 Apache Web Server Log Configuration Guide 3

4 Apache Web Server Log Configuration Guide

Preface About This Guide The LogLogic Appliance-based solution lets you capture and manage log data from all types of log sources in your enterprise. The LogLogic support for Apache Web Server enables LogLogic Appliances to capture logs from machines running Apache Web Server. Once the logs are captured and parsed, you can generate reports and create alerts on Apache Web Server s operations. For more information on creating reports and alerts, see the LogLogic User Guide and LogLogic Online Help. Technical Support LogLogic is committed to the success of our customers and to ensuring our products improve customers' ability to maintain secure, reliable networks. Although LogLogic products are easy to use and maintain, occasional assistance might be necessary. LogLogic provides timely and comprehensive customer support and technical assistance from highly knowledgeable, experienced engineers who can help you maximize the performance of your LogLogic Appliances. To reach LogLogic Customer Support: Telephone: Toll Free 1-800-957-LOGS Local 1-408-834-7480 EMEA or APAC: + 44 (0) 207 1170075 or +44 (0) 8000 669970 Email: support@loglogic.com You can also visit the LogLogic Support website at: http://www.loglogic.com/services/support. When contacting Customer Support, be prepared to provide: Your name, email address, phone number, and fax number Your company name and company address Your machine type and release version A description of the problem and the content of pertinent error messages (if any) Documentation Support Your feedback on LogLogic documentation is important to us. Send e-mail to DocComments@loglogic.com if you have questions or comments. Your comments will be reviewed and addressed by the LogLogic technical writing team. In your e-mail message, please indicate the software name and version you are using, as well as the title and document date of your documentation. Apache Web Server Log Configuration Guide 5

Conventions LogLogic documentation uses the following conventions to highlight code and command-line elements: A monospace font is used for programming elements (such as code fragments, objects, methods, parameters, and HTML tags) and system elements (such as filenames, directories, paths, and URLs). A monospace bold font is used to distinguish system prompts or screen output from user responses, as in this example: username: system home directory: home\app A monospace italic font is used for placeholders, which are general names that you replace with names specific to your site, as in this example: LogLogic_home_directory\upgrade\ Straight brackets signal options in command-line syntax. For example: ls [-AabCcdFfgiLlmnopqRrstux1] [-X attr] [path...] 6 Apache Web Server Log Configuration Guide

Chapter 1 Configuring LogLogic s Apache Web Server Log Collection This chapter describes the configuration steps that enable a LogLogic Appliance to capture Apache Web Server logs. The configuration steps assume that you have a functioning LogLogic Appliance that can be configured to capture Apache Web Server access log data Introduction to Apache Web Server........................................... 7 Prerequisites............................................................. 7 Configuring Apache Web Server............................................. 8 Enabling the LogLogic Appliance to Capture Log Data............................ 9 Verifying the Configuration................................................. 14 Introduction to Apache Web Server Prerequisites LogLogic supports the capture and analysis of Apache Web Server access logs. The access log includes information about user requests processed by the server. The location and content of the access log are controlled by the CustomLog directive in the Apache Web Server configuration file (i.e., httpd.conf). The Log Format directive can be used to simplify the selection of the contents of the logs. Access logs can be obtained in two formats based on the configuration, common log format and combined log format. The combined log format is exactly the same as the common log format, with the addition of two fields (i.e, Referer and User-Agent HTTP request header). The common log format is enabled by default, while the combined log format must be enabled by modifying the configuration file. The LogLogic Appliance captures access log data from the Apache Web Server by file pull using a file transfer rule. The configuration procedures for Apache Web Server and the LogLogic Appliance depend upon the log format used within your environment. For more information, see How LogLogic Captures Apache Web Server Log Data on page 15. Prior to configuring Apache Web Server and the LogLogic Appliance, ensure that you meet the following prerequisites: Apache HTTP Server version 2.x or later installed on a UNIX system (i.e., Solaris, AIX, Linux, etc.), Microsoft Windows, or Novell NetWare Read and Write permissions on Apache Web Server log files Proper access permissions to make configuration changes 3rd-party FTP, FTP(S), HTTP(S), CIFS, SCP, and/or SFTP server software installed for any platform that does not have these capabilities by default. For more information, see Configuring the LogLogic Appliance for File Collection on page 9. LogLogic Appliance running Release 5.1 or later installed with a Log Source Package that includes Apache Web Server support Administrative access on the LogLogic Appliance Apache Web Server Log Configuration Guide 7

Configuring Apache Web Server This section describes the configuration to be done on Apache Web Server for enabling different logging formats and rotation of logs. Configuring httpd.conf to Enable Combined/Common Log Format The combined log format is not enabled by default. To enable the combined log format, changes to the httpd.conf file are required. This file is located in the following directory: Apache root directory/conf/httpd.conf Open the file in a text editor and make the following changes: <IfModule log_config_module> # # The following directives define some format nicknames for use with # a CustomLog directive (see below). # #LogFormat "%h %l %u %t \"%r\" %>s %b" common LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined Note: When entering a file path on non-unix platforms, make sure that only forward slashes are used even though the platform may allow the use of back slashes. Configuring httpd.conf for Log Rotation For log rotation, a tool named rotatelogs is used in conjunction with the CustomLog directive in the httpd.conf file. The rotatelogs tool is available by default with Apache Web Server. In the configuration example given below, the file is rotated every 1 hour or when the size of the log file becomes 5 MB, whichever condition occurs earlier. The filename and timestamp is in the syntax, for example: accesslog.year month day hour min secs.log Example 1 Common Log format # # The location and format of the access logfile (Common Logfile Format). CustomLog" /usr/apache/bin/rotatelogs /www/logs/ accesslog.%y%m%d%h%m%s.log 3600 5M" common 8 Apache Web Server Log Configuration Guide

Example 2 Combined Log format # # The location and format of the access logfile (Combined Logfile Format). # CustomLog " /usr/apache/bin/rotatelogs /www/logs/ accesslog.%y%m%d%h%m%s.log 3600 5M" combined </IfModule> Note: After the configuration files are changed, the Apache Web Server must be restarted for any modified options to take effect. Enabling the LogLogic Appliance to Capture Log Data The following sections describe how to enable the LogLogic Appliance to capture Apache Web Server log data. Configuring the LogLogic Appliance for File Collection The LogLogic Appliance captures Apache Web Server logs using file pull functionality via a file transfer rule. If the host machine where Apache Web Server is installed does not have file transfer functionality by default, you can use one of the following deployment options for log file collection: Install 3rd-party file transfer software (or create a script to handle file transfers) on the host machine where Apache Web Server is installed Configure a remote Host Server with file transfer capability to capture log files from the Apache Web Server host machine Once the file transfer capability on the host machine or the remote Host Server is properly configured, you can create file transfer rules on the LogLogic Appliance for each log file you want to capture. The LogLogic Appliance pulls the log files via a supported file transfer protocol such as SFTP, SCP, FTP(S), HTTP(S), etc. For more information, see the LogLogic Administration Guide. Note: Although the LogLogic Appliance supports a variety of file transfer protocols, LogLogic recommends that you use a secure protocol (such as SFTP or SCP) for transferring files. Capturing Apache Web Server Log Data via SFTP The following procedure explains, at a high-level, how to configure your environment to capture file-based log messages via SFTP. LogLogic recommends using SFTP for Windows-based systems, or SCP for Unix-based systems, to securely transfer files to the LogLogic Appliance from your log source. However, you can use any of the LogLogic-supported protocols in your environment (i.e., FTP(S), HTTP(S), SCP, etc.). Note: For more information on each supported protocol, including whether a Public Key Copy is needed and what search methods (i.e., CSV, Wildcard) are available, see the LogLogic Administration Guide. Apache Web Server Log Configuration Guide 9

To enable the LogLogic Appliance to capture log data via SFTP: 1. Make sure that a destination directory (i.e., log directory) exists and is accessible on the host machine where Apache Web Server is installed. The destination directory should contain the original log files that Apache Web Server generates. 2. Transfer the Apache Web Server log files to a separate publishing directory on the host machine or on a remote Host Server. You can use a script or 3rd-party software that makes a copy of or moves the log files from the destination directory (i.e., log directory) to the publishing directory. In addition, if you are using a script, you can specify the schedule for when the script runs (e.g., hourly, daily, or weekly). Note: If you are using a remote Host Server to transfer logs to the LogLogic Appliance, LogLogic recommends that you define a clean-up process to handle old log files that accumulate over time. 3. On the LogLogic Appliance, add the Apache Web Server to the Appliance as a new device. For more information, see Adding an Apache Web Server Device on page 10. 4. Create a file transfer rule and specify SFTP as the Protocol. For more information, see Creating File Transfer Rules on page 11. IMPORTANT! SCP and SFTP have limitations in their ability to pull a large number of files (100 or more). LogLogic recommends that you compress the files into a single file (such as.tar or tar.gz) before the files are pulled by the LogLogic Appliance. 5. File transfer rules using SFTP as the protocol require a public key copy from the LogLogic Appliance. You need to copy the Appliance s public key to the Apache Web Server host machine or the remote Host Server. For more information on public key copy, see the LogLogic Administration Guide. Adding an Apache Web Server Device LogLogic captures Apache Web Server access log files using the file pull functionality via file transfer rule. You must add the server as a new device so LogLogic can properly handle the log file data to make it available through reports and searching. Once you have successfully added an Apache Web Server device, you must configure file transfer rules for file collection. For more information, see Configuring the LogLogic Appliance for File Collection on page 9. To add an Apache Web Server as a new device: 1. Log in to the LogLogic Appliance. 2. From the navigation menu, select Management > Devices. The Device tab appears. 3. Click Add New. The Add Device tab appears. 10 Apache Web Server Log Configuration Guide

Figure 1 Adding a Device to the LogLogic Appliance 4. Type in the following information for the device: Name Name for the Apache WebServer device Description (optional) Description of the Apache WebServer device Device Type Select Apache WebServer from the drop-down menu Host IP IP address of the machine hosting the Apache Web Server log data (this can be a remote Host Server or the host machine where Apache Web Server is installed) Enable Data Collection Select the Yes radio button Refresh Device Name through DNS Lookups (optional) Select this checkbox to enable the Name field to be automatically updated. The name is obtained using a reverse DNS lookup on the configured refresh interval. The DNS name overrides any manual name you assign. 5. Click Add. 6. Verify that your new device appears in the Devices tab and that Enabled is set to Yes. (See Figure 4 on page 14.) After you add the new device, you can configure the LogLogic Appliance by setting up file transfer rules. For information on configuring the LogLogic Appliance to capture Apache Web Server log messages, see Configuring the LogLogic Appliance for File Collection on page 9. Creating File Transfer Rules After you add your Apache Web Server device, you can create a file transfer rule for the log files. File transfer rules enable the LogLogic Appliance to pull files from the host machine or remote Host Server publishing the Apache Web Server log files. LogLogic supports the following wildcards: * (asterisk),? (question mark), and [...] (open and close brackets) using directory queries. If you use wildcards, you must enable directory listing on your host machine or remote Host Server. Apache Web Server Log Configuration Guide 11

Examples: file /foo/file, /bar/*.log /foo?/bar*/*.aud, /foo1/file1.tar.gz, /foo1/file2.z /foo[2-8]/bar*/net*.log LogLogic can pull and decompress archive files, extract individual files from the archive files, and then process the individual files. The following file types are supported:.tar.bz2,.tar.gz, tar.z,.tgz,.taz,.tar,.gz,.z,.z,.zip,.zip. For more information, see the LogLogic Administration Guide. To create a file transfer rule: 1. Log in to the LogLogic Appliance. 2. From the navigation menu, select Management > Devices. 3. Select the File Transfer Rules tab. 4. Add a rule for the Apache Web Server log files you want to capture by completing the following steps: a.from the Device Type drop-down menu, select Apache WebServer. b.from the Device drop-down menu, select the appropriate Apache WebServer device. Figure 2 File Transfer Rules Tab Note: If you have added only one Apache Web Server device, the device name is automatically added. 5. Click Add New then enter the appropriate information for the following required fields: Rule Name Name of the transfer rule (e.g., Apache WebServer Access Logs) Protocol Specify the appropriate protocol (e.g., SFTP, SCP, FTP(S), etc.) Note: LogLogic recommends using a secure file transfer protocol, such as SFTP for Windows-based devices or SCP for UNIX-based devices. If you are using SFTP or SCP, you must copy the Appliance s public key to the machine where the logs are located. For more information, see Configuring the LogLogic Appliance for File Collection on page 9 and the LogLogic Administration Guide User ID Specify only if the protocol requires a User ID Password/Verify Password Specify only if required for the User ID 12 Apache Web Server Log Configuration Guide

g Files Full path (after the IP address) to the Host Server where the Apache Web Server log files are located. For example: /log/file_name.log To capture all logs in a specific directory specify the asterisk (*) wildcard. For example: /log/*.log The server can be the host machine where the device is installed or a remote Host Server with file transfer functionality. For more information, see Configuring the LogLogic Appliance for File Collection on page 9. File Format Select Apache WebServer Log from the drop-down menu Collection Time Specify the time you want to retrieve the log file Use Advanced Duplication Detection Select the Yes radio button if you want the LogLogic Appliance to check for duplicate data while capturing the Apache WebServer logs. Enable Select the Yes radio button to enable the file transfer rule 6. Click Add. Figure 3 Add File Transfer Rule Tab Apache Web Server Log Configuration Guide 13

Verifying the Configuration The section describes how to verify that the configuration changes made to Apache Web Server and the LogLogic Appliance are applied correctly. To verify the configuration: 1. Log in to the LogLogic Appliance. 2. From the navigation menu, select Dashboards > Log Source Status. The Log Source Status tab appears. Figure 4 Log Source Status Apache WebServer Added 3. Locate the IP address for each Apache WebServer device. If the device name (Apache WebServer) appears in the list of devices, then the configuration is correct. If the device does not appear in the Log Source Status tab, check the Apache WebServer logs for events that should have been sent. If events were detected and are still not appearing on the LogLogic Appliance, verify the Apache WebServer configuration and the LogLogic Appliance configuration. You can also verify that the LogLogic Appliance is properly capturing log data from Apache Web Server by trying to view the data in the reports. LogLogic recommends checking the reports to make sure that the data obtained is valid and matches expectations. For more information, see LogLogic Real-Time Reports on page 17. If the device name appears in the list of devices but event data for the device is not appearing within your reports, see Troubleshooting on page 18 for more information. 14 Apache Web Server Log Configuration Guide

Chapter 2 How LogLogic Supports Apache Web Server This chapter describes LogLogic s support for Apache Web Server. LogLogic enables you to capture log data to monitor Apache Web Server events. LogLogic supports Apache Web Server logs. How LogLogic Captures Apache Web Server Log Data........................... 15 Supported Apache Web Server Access Log Data............................... 16 LogLogic Real-Time Reports............................................... 17 LogLogic Search Filters................................................... 17 How LogLogic Captures Apache Web Server Log Data By default, Apache Web Server access log data is recorded in a file named access_log.txt. The access_log.txt file is located in the Apache Web Server s installation directory within the Logs directory. LogLogic enables you to capture the log data in text format from a remote file system using SFTP, SCP, FTP(S), HTTP(S), etc. The LogLogic Appliance uses file pulling to capture Apache Web Server log messages. Log files unchanged since the last pull are filtered out from collecting to eliminate duplication. File pulling maintains a record of log files identified on the database to allow conversion. All log messages are pulled from the specified path where the converted log files are stored. Note: LogLogic enables you to collect Apache Web Server log messages at a configurable time (e.g., every x minutes, at an hourly interval, daily at a specified time, or weekly at a specified date and time). Figure 5 on page 16 provides a deployment example for capturing Apache Web Server log messages. An SFTP server is used as a remote Host Server in the example. If the host machine for the log source has built-in SFTP, SCP, FTP(S), HTTP(S), etc., server functionality, a remote Host Server is not a mandatory component. For more information, see Configuring the LogLogic Appliance for File Collection on page 9. Apache Web Server Log Configuration Guide 15

Figure 5 Apache Web Server with LogLogic Components and Processes for File-Based Log Collection Once the data is captured and parsed, you can generate reports. In addition, you can create alerts to notify you of issues on Apache Web Server. For more information on creating reports and alerts, see the LogLogic User Guide and LogLogic Online Help. Note: When a log file is transferred, each file contains a timestamp which consists of a date and time. The timestamp refers to the file creation date and time for a particular message in the file. For a listing of LogLogic supported date and time formats, see the LogLogic Administration Guide. Supported Apache Web Server Access Log Data LogLogic enables you to capture Apache Web Server access log data. There are five event categories of access records that can be generated for Apache Web Server: Informational Successful Redirection Server Error Client Error Table 1 on page 22 lists the Apache Web Server access messages that are supported by the LogLogic Appliance. Note: The LogLogic Appliance captures all messages from the Apache Web Server logs, but includes only specific messages for report/alert generation. For more information, see Apache Web Server Events on page 22 for sample log messages for each event and event to category mapping. 16 Apache Web Server Log Configuration Guide

LogLogic Real-Time Reports LogLogic provides pre-configured Real-Time Reports for Apache Web Server log data. The following Real-Time Reports are available: All Unparsed Events - Displays data for all events retrieved from the Apache Web Server log for a specified time interval Web Cache Activity Displays locally-stored web information served during a specified time interval Web Surfing Activity Displays web information served during a specified time interval To access LMI 5 Real-Time Reports: 1. In the top navigation pane, click Reports. 2. Click Network Activity. The following Real-Time Reports are available: Web Cache Activity Web Surfing Activity 3. Click Operational. The following Real-Time Reports are available: All Unparsed Events You can create custom reports from the existing Real-Time Report templates. For more information, see the LogLogic User Guide and LogLogic Online Help. LogLogic Search Filters LogLogic provides pre-configured Search Filters for Apache Web Server log data. Search Filters are used to filter report data and create alerts. To access Search Filters: 1. From the navigation menu, select Search. 2. Select Search Filters. The following Search Filters are available: Apache: 3xx - Redirected Displays information about Apache Web Server HTTP Error 3xx - Page Redirected errors Apache: 403 - Forbidden Displays information about Apache Web Server HTTP Error 403 - Access Denied/Forbidden errors Apache: 404 - Not Found Displays information about Apache Web Server HTTP Error 404 - Page Not Found errors Apache: 4xx & 5xx Page Retrieve Displays information about Apache Web Server HTTP 4xx & 5xx - Page Retrieving errors For more information on Search Filters, reports, and alerts see the LogLogic User Guide and LogLogic Online Help. Apache Web Server Log Configuration Guide 17

Chapter 3 Troubleshooting and FAQ This chapter contains troubleshooting information regarding the configuration and/or use of log collection for Apache Web Server. It also contains Frequently Asked Questions (FAQ), providing quick answers to common questions. Troubleshooting.......................................................... 18 Frequently Asked Questions................................................ 19 Troubleshooting Is your version of Apache Web Server supported? For more information, see Prerequisites on page 7. Is your LogLogic Appliance running Release 5.1 or later? If you are running an release prior to 5.1, you might require an upgrade. Contact LogLogic Support for more information. Is the appropriate Log Source Package (LSP) installed properly? Check to make sure that the LSP that is installed includes support for Apache Web Server. Also make sure that the package was installed successfully. For more information on LSP installation procedures, see the LogLogic Log Source Package Release Notes. If Apache Web Server events are not appearing on the LogLogic Appliance... You need to verify if the LogLogic Appliance is receiving the logs correctly. For more information, see Problems Retrieving Log Files Using Configured File Transfer Rules on page 18. Also, make sure that you are using the proper log format (common or combined) and that you have properly configured log rotation on Apache Web Server. For more information, see Configuring Apache Web Server on page 8. Problems Retrieving Log Files Using Configured File Transfer Rules If you are having general problems retrieving log files using your configured file transfer rules, you might need to verify that your LogLogic Appliance is receiving Apache Web Server logs as scheduled. To verify that the LogLogic Appliance is receiving logs correctly: 1. Log in to the LogLogic Appliance managing the Apache Web Server log data. 2. From the navigation menu, select Management > Devices. The Devices tab appears. 18 Apache Web Server Log Configuration Guide

3. Select the File Transfer Rules tab. The File Transfer Rules tab appears with a table displaying all of your file transfer rules. 4. Find the file-based log data entries. 5. Under the Last Successful Retrieval column, watch for a successful transfer as defined by the Collection Interval mark. 6. Under the Last Attempted Retrieval column, verify that there are no failures. 7. If the Last Attempted Retrieval value is incrementing but the Last Successful Retrieval value is not changing, then the LogLogic Appliance is not receiving logs correctly. If this problem occurs, then complete the following steps: a.verify the path to your log files. If necessary, make appropriate changes. b.verify your user name and password. If necessary, make appropriate changes. Alternatively, you can run an Index Search against Apache Web Server as follows to check log collection: 1. From the navigation menu, select Search > Index Search. 2. Specify the LogLogic Appliance as the Device Type and choose the appropriate Source Device. 3. Enter your Boolean Search query. For example: To return file collector-related logs, type engine_filecollector To return only Apache entries, type engine_filecollector and Apache Entries can be found in the /loglogic/status/filecollector_status file. Frequently Asked Questions How does the LogLogic Appliance collect logs from Apache Web Server? Apache Web Server can generate access logs using a combined or common log format. The access log (access_log.txt) is captured by the LogLogic Appliance using file pull via a file transfer rule. For more information, see How LogLogic Captures Apache Web Server Log Data on page 15. What access permissions are required? To configure logging on Apache Web Server, the user needs to have Read and Write permissions to edit configuration files. How do I configure logging on Apache Web Server? Follow the procedures on Configuring Apache Web Server on page 8. Also make sure that you verify your configuration changes on the LogLogic Appliance (Verifying the Configuration on page 14). Apache Web Server Log Configuration Guide 19

20 Apache Web Server Log Configuration Guide

Appendix A Event Reference This appendix lists the LogLogic-supported Apache Web Server events. The LogLogic Apache Web Server event table identifies events which can be analyzed through the LogLogic Agile Reports, as well as a sample log message. All sample log messages were captured by LogLogic s file pull utility. LogLogic Support for Apache Web Server Events The following list describes the contents of each of the columns in the table below. Event ID Apache Web Server event identifier Agile Reports/Search Defines if the Apache Web Server event is available through the LogLogic Agile Report Engine or through the search capabilities. If the event is available through the Agile Report Engine, then you can use LogLogic s Real-Time Reports and Summary Reports to analyze and display the captured log data. Otherwise, all other supported events that are captured by the LogLogic Appliance can be viewed by performing a search for the log data. Title/Comments Event name Event Category Category of events such as Informational, Successful, etc. Event Type Type of event such as Info, Success, etc. Sample Log Message (Common) Sample Apache Web Server access log messages in common log format Sample Log Message (Combined) Sample Apache Web Server access log messages in combined log format Apache Web Server Log Configuration Guide 21

Table 1 Apache Web Server Events Event ID Agile Reports/ Search Title/ Comments Event Category Event Type Sample Log Message (Common) Sample Log Message (Combined) 1 100 Agile HTTP_CONTINUE Informational Info S-->127.0.0.1 - - [22/ Dec/2006:12:06:39 +0530] "GET /test/ test.html HTTP/1.1" 201 64 S-->10.116.24.52 - - [22/Jan/2007:07:03:57-0500] "GET /mantis/account_delete.php HTTP/1.1" 100 1938 "http:// 10.116.28.103:8080/mantis/" "Mozilla/4.0 2 101 Agile HTTP_SWITCHIN G_PROTOCOLS Informational Info S-->127.0.0.1 - - [22/ Dec/2006:12:06:39 +0530] "GET /test/ test.html HTTP/1.1" 202 64 S-->10.116.24.52 - - [22/Jan/2007:07:03:57-0500] "GET /mantis/account_delete.php HTTP/1.1" 101 1938 "http:// 10.116.28.103:8080/mantis/" "Mozilla/4.0 3 2 00 Ag ile HTTP_ OK Successful Su cce ss R-->10. 201.51.6 0 - - [27/Jun/2006:12:18:26 +0530] "GET / HTTP/ 1.0" 200 44 4 2 01 Ag ile HTTP_ CREATED Successful Su cce ss S-->12 7.0. 0.1 - - [22/ Dec/2006:12:06:39 +0530] "GET /test/ test.html HTTP/1.1" 201 64 5 2 02 Ag ile HTTP_ ACCEPTED Successful Su cce ss S-->12 7.0. 0.1 - - [22/ Dec/2006:12:06:39 +0530] "GET /test/ test.html HTTP/1.1" 202 64 R-->10.116.24.52 - - [22/Jan/2007:07:03:57-0500] "GET /mantis/account_delete.php HTTP/1.1" 200 1938 "http:// 10.116.28.103:8080/mantis/" "Mozilla/4.0 S-->10.116.24.52 - - [22/Jan/2007:07:03:57-0500] "GET /mantis/account_delete.php HTTP/1.1" 201 1938 "http:// 10.116.28.103:8080/mantis/" "Mozilla/4.0 S-->10.116.24.52 - - [22/Jan/2007:07:03:57-0500] "GET /mantis/account_delete.php HTTP/1.1" 202 1938 "http:// 10.116.28.103:8080/mantis/" "Mozilla/4.0 6 203 Agile HTTP_NON_AUTH ORITATIVE 7 204 Agile HTTP_NO_CONT ENT 8 205 Agile HTTP_RESET_CO NTENT Successful Su cce ss S-->12 7.0. 0.1 - - [22/ Dec/2006:12:06:39 +0530] "GET /test/ test.html HTTP/1.1" 203 64 Successful Su cce ss S-->12 7.0. 0.1 - - [22/ Dec/2006:12:06:39 +0530] "GET /test/ test.html HTTP/1.1" 204 64 Successful Su cce ss S-->12 7.0. 0.1 - - [22/ Dec/2006:12:06:39 +0530] "GET /test/ test.html HTTP/1.1" 205 64 S-->10.116.24.52 - - [22/Jan/2007:07:03:57-0500] "GET /mantis/account_delete.php HTTP/1.1" 203 1938 "http:// 10.116.28.103:8080/mantis/" "Mozilla/4.0 S-->10.116.24.52 - - [22/Jan/2007:07:03:57-0500] "GET /mantis/account_delete.php HTTP/1.1" 204 1938 "http:// 10.116.28.103:8080/mantis/" "Mozilla/4.0 S-->10.116.24.52 - - [22/Jan/2007:07:03:57-0500] "GET /mantis/account_delete.php HTTP/1.1" 205 1938 "http:// 10.116.28.103:8080/mantis/" "Mozilla/4.0 22 Apache Web Server Log Configuration Guide

Event ID Agile Reports/ Search Title/ Comments Event Category Event Type Sample Log Message (Common) Sample Log Message (Combined) 9 206 Agile HTTP_PARTIAL_C ONTENT 10 300 Agile HTTP_MULTIPLE_ CHOICES 11 301 Agile HTTP_MOVED_P ERMANENTLY 12 302 Agile HTTP_MOVED_TE MPORARILY 13 303 Agile HTTP_SEE_OTHE R 14 304 Agile HTTP_NOT_MODI FIED 15 305 Agile HTTP_USE_PROX Y Successful Su cce ss R-->209.14 9.14 9.13 3 - - [20/Oct/2003:12:49:23-0700] "GET /gcs/ gc1add.pdf HTTP/1.1" 206 71657 Redirection Info S-->127.0.0.1 - - [27/ Jun/2006:13:54:41 +0530] "GET /Redhat HTTP/1.1" 300 232 Redirection Info R-->crawler8.googlebot.com - - [21/Oct/ 2003:10:58:38-0700] "GET /gcs HTTP/1.0" 301 236 Redirection Info R-->128.95.20.157 - - [21/Oct/2003:10:57:51-0700] "POST /gcs/ form2mail.cgi HTTP/ 1.1" 302 0 Redirection Info S-->127.0.0.1 - - [27/ Jun/2006:13:54:41 +0530] "GET /Redhat HTTP/1.1" 303 232 Redirection Info R-->127.0.0.1 - admin [22/Dec/2006:13:12:58 +0530] "GET /test/ test.html HTTP/1.1" 304 - Redirection Info S-->127.0.0.1 - - [27/ Jun/2006:13:54:41 +0530] "GET /Redhat HTTP/1.1" 305 232 S-->10.116.24.52 - - [29/Jan/2007:12:47:05-0500] "GET /mantis HTTP/1.1" 300 241 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; R-->10.116.24.52 - - [29/Jan/2007:12:47:05-0500] "GET /mantis HTTP/1.1" 301 241 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; S-->10.116.24.52 - - [29/Jan/2007:12:47:05-0500] "GET /mantis HTTP/1.1" 302 241 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; S-->10.116.24.52 - - [29/Jan/2007:12:47:05-0500] "GET /mantis HTTP/1.1" 303 241 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; R-->10.116.24.52 - - [29/Jan/2007:12:44:23-0500] "GET / HTTP/1.1" 304 - "-" "Mozilla/ 4.0 S-->10.116.24.52 - - [29/Jan/2007:12:47:05-0500] "GET /mantis HTTP/1.1" 305 241 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; 16 306 Agile Unused Redirection Info S-->127.0.0.1 - - [27/ Jun/2006:13:54:41 +0530] "GET /Redhat HTTP/1.1" 306 232 S-->10.116.24.52 - - [29/Jan/2007:12:47:05-0500] "GET /mantis HTTP/1.1" 306 241 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; 17 307 Agile HTTP_TEMPORA RY_REDIRECT 18 400 Agile HTTP_BAD_REQU EST 19 401 Agile HTTP_UNAUTHO RIZED Redirection Info S-->127.0.0.1 - - [27/ Jun/2006:13:54:41 +0530] "GET /Redhat HTTP/1.1" 307 232 Client Error Error R-->192.168.10.1 - - [03/Sep/2002:16:57:13-0400] "GET / HTTP/ 1.1" 400 394 Client Error Error R-->127.0.0.1 - - [22/ Dec/2006:13:08:52 +0530] "GET /test/ test.html HTTP/1.1" 401 401 S-->10.116.24.52 - - [29/Jan/2007:12:47:05-0500] "GET /mantis HTTP/1.1" 307 241 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; HTTP/1.1" 400 224 "-" "Mozilla/4.0 HTTP/1.1" 401 224 "-" "Mozilla/4.0 Apache Web Server Log Configuration Guide 23

Event ID Agile Reports/ Search Title/ Comments Event Category Event Type Sample Log Message (Common) Sample Log Message (Combined) 20 402 Agile HTTP_PAYMENT_ REQUIRED 21 403 Agile HTTP_FORBIDDE N 22 404 Agile HTTP_NOT_FOUN D 23 405 Agile HTTP_METHOD_ NOT_ALLOWED Client Error Error S-->127.0.0.1 - - [22/ Dec/2006:13:08:52 +0530] "GET /test/ test.html HTTP/1.1" 402 401 Client Error Error R-->localhost - - [22/ Dec/2006:12:32:25 +0530] "GET /test/ test.html HTTP/1.1" 403 216 Client Error Error R-->10.115.5.33 - - [27/ Jun/2006:17:21:40 +0530] "GET /./RedHat/ base/updates.img HTTP/1.0" 404 221 Client Error Error R-->152.22.18.16 - - [22/Aug/2005:09:46:17-0700] "PROPFIND / gcs/ grantattachment.doc HTTP/1.1" 405 257 HTTP/1.1" 402 224 "-" "Mozilla/4.0 HTTP/1.1" 403 224 "-" "Mozilla/4.0 R-->10.116.24.52 - - [22/Jan/2007:07:04:06 HTTP/1.1" 404 224 "-" "Mozilla/4.0 HTTP/1.1" 405 224 "-" "Mozilla/4.0 24 406 Agile HTTP_NOT_ACCE PTABLE Client Error Error S-->10.115.5.33 - - [27/ Jun/2006:17:21:40 +0530] "GET /./RedHat/ base/updates.img HTTP/1.0" 406 221 HTTP/1.1" 406 224 "-" "Mozilla/4.0 25 407 Agile HTTP_PROXY_AU THENTICATION_R EQUIRED 26 408 Agile HTTP_REQUEST_ TIMEOUT Client Error Error S-->10.115.5.33 - - [27/ Jun/2006:17:21:40 +0530] "GET /./RedHat/ base/updates.img HTTP/1.0" 407 221 Client Error Error R-->192.168.10.1 - - [03/Sep/2002:11:20:25-0400] "-" 408 - HTTP/1.1" 407 224 "-" "Mozilla/4.0 HTTP/1.1" 408 224 "-" "Mozilla/4.0 27 409 Agile HTTP_CONFLICT Client Error Error S-->10.115.5.33 - - [27/ Jun/2006:17:21:40 +0530] "GET /./RedHat/ base/updates.img HTTP/1.0" 409 221 28 410 Agile HTTP_GONE Client Error Error S-->10.115.5.33 - - [27/ Jun/2006:17:21:40 +0530] "GET /./RedHat/ base/updates.img HTTP/1.0" 410 221 HTTP/1.1" 409 224 "-" "Mozilla/4.0 HTTP/1.1" 410 224 "-" "Mozilla/4.0 24 Apache Web Server Log Configuration Guide

Event ID Agile Reports/ Search Title/ Comments Event Category Event Type Sample Log Message (Common) Sample Log Message (Combined) 29 411 Agile HTTP_LENGTH REQUIRED 30 412 Agile HTTP_PRECONDI TION_FAILED 31 413 Agile HTTP_REQUEST_ ENTITY_TOO_LA RGE 32 414 Agile HTTP_REQUEST_ URI_TOO_LARGE 33 415 Agile HTTP_UNSUPPO RTED_MEDIA_TY PE 34 416 Agile HTTP_RANGE_N OT_SATISFIABLE 35 417 Agile HTTP_EXPECTATI ON_FAILED 36 500 Agile HTTP_INTERNAL_ SERVER_ERROR 37 501 Agile HTTP_NOT IMPLEMENTED Client Error Error S-->10.115.5.33 - - [27/ Jun/2006:17:21:40 +0530] "GET /./RedHat/ base/updates.img HTTP/1.0" 411 221 Client Error Error S-->10.115.5.33 - - [27/ Jun/2006:17:21:40 +0530] "GET /./RedHat/ base/updates.img HTTP/1.0" 412 221 Client Error Error S-->10.115.5.33 - - [27/ Jun/2006:17:21:40 +0530] "GET /./RedHat/ base/updates.img HTTP/1.0" 413 221 Client Error Error S-->10.115.5.33 - - [27/ Jun/2006:17:21:40 +0530] "GET /./RedHat/ base/updates.img HTTP/1.0" 414 221 Client Error Error S-->10.115.5.33 - - [27/ Jun/2006:17:21:40 +0530] "GET /./RedHat/ base/updates.img HTTP/1.0" 415 221 Client Error Error S-->host213.200.73.37. adsl.ifxnw.cl - - [16/Dec/ 2005:15:30:13-0800] "GET /gcs/gc1add.pdf HTTP/1.1" 416 0 Client Error Error S-->10.115.5.33 - - [27/ Jun/2006:17:21:40 +0530] "GET /./RedHat/ base/updates.img HTTP/1.0" 417 221 Server Error Error R-->d-128-95-115-93.d hcp4.testlab.com - - [08/Oct/2003:11:47:15-0700] "POST /gcs/ form2mail.cgi HTTP/ 1.1" 500 - Server Error Error R-->192.168.10.1 - - [03/Sep/2002:11:17:44-0400] "get" 501 - HTTP/1.1" 411 224 "-" "Mozilla/4.0 HTTP/1.1" 412 224 "-" "Mozilla/4.0 HTTP/1.1" 413 224 "-" "Mozilla/4.0 HTTP/1.1" 414 224 "-" "Mozilla/4.0 HTTP/1.1" 415 224 "-" "Mozilla/4.0 HTTP/1.1" 416 224 "-" "Mozilla/4.0 HTTP/1.1" 417 224 "-" "Mozilla/4.0 S-->10.116.24.52 - - [22/Jan/2007:06:59:02-0500] "\x80l\x01\x03" 500 216 "-" "-" R-->10.116.24.52 - - [22/Jan/2007:06:59:02-0500] "\x80l\x01\x03" 501 216 "-" "-" 38 502 Agile HTTP_BAD_GATE WAY Server Error Error S-->192.168.10.1 - - [03/Sep/2002:11:17:44-0400] "get" 502 - S-->10.116.24.52 - - [22/Jan/2007:06:59:02-0500] "\x80l\x01\x03" 502 216 "-" "-" Apache Web Server Log Configuration Guide 25

Event ID Agile Reports/ Search Title/ Comments Event Category Event Type Sample Log Message (Common) Sample Log Message (Combined) 39 503 Agile HTTP_SERVICE_ UNAVAILABLE Server Error Error S-->192.168.10.1 - - [03/Sep/2002:11:17:44-0400] "get" 503 - S-->10.116.24.52 - - [22/Jan/2007:06:59:02-0500] "\x80l\x01\x03" 503 216 "-" "-" 40 504 Agile HTTP_GATEWAY_ TIME_OUT Server Error Error S-->192.168.10.1 - - [03/Sep/2002:11:17:44-0400] "get" 504 - S-->10.116.24.52 - - [22/Jan/2007:06:59:02-0500] "\x80l\x01\x03" 504 216 "-" "-" 41 505 Agile HTTP_VERSION_ NOT_SUPPORTE D Server Error Error S-->192.168.10.1 - - [03/Sep/2002:11:17:44-0400] "get" 505 - S-->10.116.24.52 - - [22/Jan/2007:06:59:02-0500] "\x80l\x01\x03" 505 216 "-" "-" 26 Apache Web Server Log Configuration Guide