1

I am wondering how I can know what host an event in httpd's access/error logs corresponds with once that data is brought into CloudWatch. I use virtual hosts on apache. I currently have a file per vhost like so...

/var/log/httpd/access/site1.log
/var/log/httpd/access/site2.log

I am using CloudWatch Agent configuration like this:

[[inputs.logfile.file_config]]
      file_path = "/var/log/httpd/access/*.log"
      from_beginning = true
      log_group_name = "apache-access"
      log_stream_name = "i-012345..."
      pipe = false

Other than creating a configuration block for every single file, are there options to add a dimension to the logs I create in CloudWatch that denotes the virtual host?

Is the filename a variable that can be used in the conf perhaps?... log_group_name = "apache-access/{logfile}" or something like that?

I suppose an alternative is writing all vhosts to the same log files and then using an Environment Variable in my log format - but I think that would only work with access logs and not error logs.

What is my best strategy here?

I am migrating this from an ELK stack where the filename was being leveraged in the event data.

ficuscr
  • 115
  • 7
  • 1
    I wonder if the apache config can include that information, either as a variable or as static text. The host that serviced the request is probably not information that's often used, when infrastructure is treated as cattle rather than pets. – Tim Nov 02 '21 at 02:10

1 Answers1

0

I was able to confirm that SetEnv variables are not available in the error log format. Setting a static value in the error log's format per virtual host looked like it was heading to same dead-end as the error log wants to be defined earlier on. I didn't actually try setting that in the vhosts though.

Anyway, one easy solution was to use the Host value from the request header as described here: Logformat for catching asked hostname in a *.domain.com scenario?

Not the same value but perhaps more useful ultimately with my free range chickens. Would still be curious if there is a way to leverage the filename as a dimension using cloudwatch agent/conf.

ficuscr
  • 115
  • 7