From wiki.mikejung.biz
Jump to: navigation, search

Liquidweb 728x90.jpg


Configure Syslog to forward logs to remote server

To set up forwarding to a remote server. Edit the file listed below and enter in the IP address of the server that you want to forward the logs to. Restarted syslogd after you edit the file to apply the new settings.

vim /etc/syslog.conf

add the line:

*.*                     @$IPaddress

restart syslogd


Default logrotate configuration files

By default the logrotate.d configuration files are as follows:

/etc/logrotate.conf # Main conf file.

/etc/logrotate.d/* # The configuration files for each service.

Rotating apache logs

How can I rotate Apache logs easily and regularly?

Insert the following code into /etc/logrotate.d/apache (only include the domlog directories if cpanellogd/awstats are disabled):

/usr/local/apache/logs/*log  {
    rotate 3
        /bin/kill -HUP `cat /usr/local/apache/logs/httpd.pid 2>/dev/null` 2> /dev/null || true

No postrotate

Notice that this specific rotate schedule has postrotate (/bin/kill -HUP `cat /usr/local/apache/logs/httpd.pid 2>/dev/null` 2> /dev/null || true). This is related to apache and will keep some sort of current log intact it seems (without postrotate you may see that the error log is rotated but a new error log file is not generated). You may need to use and option called "create" to create a new log file if you do not have a postrotate script in the rotate configuration file that you are creating. Test it out and make sure you have a log file. Some softwares or services may not generate a new log file if one does not exist.

then run "logrotate -f /etc/logrotate.d/apache". This will rotate and compress the existing logs. Logs will rotate weekly from that time on.

  • alternate configuration for /etc/logrotate.d/apache
 /usr/local/apache/logs/error_log {
    rotate 4
    /usr/local/apache/bin/apachectl graceful

Will need to setup a block for each log file or modify the first line in the block to include the other log files.

Always test your work. Run:

logrotate -f /etc/logrotate.d/filename



Log Locations

Nginx Logs

Nginx Error Log Location

  • This is the main error log. Generally only severe errors are going to show up here.


Nginx vhost-error_log Location

  • This is error log used by each domain. This is more in line with some of the errors you will see in /usr/local/apache/logs/error_log. Missing files,bad perms etc.


Nginx domlogs Location

  • Each domain will have it's own file here. Same as domlogs for Apache.


cPanel, WHM and webmail


cPanel Login Log File Location

  • Login attempts to cPanel


cPanel Account and Misc Log File Location

  • Account transfers and Misc. logs


cPanel User Bandwidth Usage Log File Location

  • Per-account bandwidth history


cPanel Service Status Log File Location

  • Service status logs


cPanel Error Log File Location

  • cPanel error log


cPanel Panic Log File Location

  • cPanel panic log


cPanel Backup Log File Location

  • Backup logs


cPanel Update Log File Location

  • Update log


cPanel Mailman Log File Location

  • Mailman Logs


cPanel Audit Log File Location

  • Auditing log (account creation, deletion, modification, etc.)


cPanel Access Log File Location

  • Access log and user actions in cPanel


cPanel Website Stats Log File Location

  • Website statistics logs


cPanel License Log File Location

  • License updates and errors


cPanel cPHulkD Log File Location

  • cPHulkD log


cPanel cPHulkD Error Log File Location

  • cPHulkD error log


cPanel Tailwatch Log File Location

  • Tailwatch driver (tailwatchd) log


cPanel EasyApache Build Log File Location

  • EasyApache build logs


cPanel Installation Log File Location

  • Installation log


cPanel SquirrelMail Log File Location

  • SquirrelMail


cPanel Roundcube Log File Location

  • RoundCube


cPanel Horde Log File Location

  • Horde


Scripts to Parse Apache Dom Logs

This command will get the first row(IP) from each entry in a dom log and count the connections

cat domain.com | awk '{ print $1 }' | sort | uniq -c | sort -rn

This can be used to find out what sites are acting as referrers to the site on the server. Sometimes legit, other times not legit

grep  17/Jul/2012 /usr/local/apache/domlogs/domain.com  | grep -v http://www.domain.com | grep -v Monitor| egrep -o '(GET|POST)'\ [[:alnum:][:graph:]]* | sort | uniq -c | sort -rn | head