Apache - OpenTelemetry Collector
The Apache app is a unified logs and metrics app that helps you monitor the availability, performance, health and resource utilization of Apache web server farms. Preconfigured dashboards and searches provide visibility into your environment for real-time or historical analysis: visitor locations, visitor access types, traffic patterns, errors, web server operations, resource utilization and access from known malicious sources.
The diagram below illustrates the components of the Apache collection for each web server. OpenTelemetry collector runs on the same host as Apache, and uses the Apache Receiver to obtain Apache metrics, and the Sumo Logic OpenTelemetry Exporter to send the metrics to Sumo Logic. Apache logs are sent to Sumo Logic through a filelog receiver.
The Sumo Logic app for Apache assumes:
- The NCSA extended/combined log file format has been configured for Apache access logs and the default error log format for Apache Access logs and Apache Error logs. For a list of metrics that are collected and used by the app, see Apache Metrics.
Fields Creation in Sumo Logic for Apacheβ
Following are the Fields which will be created as part of Apache App install if not already present.
webengine.cluster.name. User configured.Enter a name to uniquely identify your Apache web server cluster. This web server cluster name will be shown in the Sumo Logic dashboards.webengine.system. Has fixed value of apachesumo.datasource. Has fixed value of apachewebengine.node.name. Has the value of host name of the machine which is being monitored
Prerequisitesβ
For metrics collectionβ
The receiver used gets stats from an Apache Web Server instance using the server-status?auto endpoint. This receiver supports Apache Web Server version 2.4+.
Receive server statistics by configuring the server's httpd.conf file to enable status support.
For logs collectionβ
- Configure the Apache log files:
- Configure the logging of access logs and error logs via the instructions described in their documentation.
- Locate your local
httpd.confconfiguration file in the Apache directory. After determining the location of the conf file, modify thehttpd.confconfiguration file logging parameters if required.- For access logs, the following directive is to be noted:
- CustomLog. access log file path and format (standard common and combined)
- For error logs, following directives are to be noted:
- ErrorLog. Error log file path.
- LogLevel. To control the number of messages logged to the
error_log.
- For access logs, the following directive is to be noted:
Ensure that the otelcol has adequate permissions to access all log file paths. Execute the following command for the same:
sudo setfacl -R -m d:u:otelcol-sumo:r-x,u:otelcol-sumo:r-x,g:otelcol-sumo:r-x <PATH_TO_LOG_FILE>
For Linux systems with ACL Support, the otelcol install process should have created the ACL grants necessary for the otelcol system user to access default log locations. You can verify the active ACL grants using the getfacl command. Install the ACL in your Linux environment, if not installed.
The required ACL may not be supported for some rare cases, for example, Linux OS Distro, which is officially not supported by Sumo Logic. In this case, you can run the following command to explicitly grant the permissions.
sudo setfacl -R -m d:u:otelcol-sumo:r-x,d:g:otelcol-sumo:r-x,u:otelcol-sumo:r-x,g:otelcol-sumo:r-x <PATH_TO_LOG_FILE>
Run the above command for all the log files in the directory that need to be ingested, which are not residing in the default location.
If Linux ACL Support is not available, traditional Unix-styled user and group permission must be modified. It should be sufficient to add the otelcol system user to the specific group that has access to the log files.
For Windows systems, log files which are collected should be accessible by the SYSTEM group. Use the following set of PowerShell commands if the SYSTEM group does not have access.
$NewAcl = Get-Acl -Path "<PATH_TO_LOG_FILE>"
# Set properties
$identity = "NT AUTHORITY\SYSTEM"
$fileSystemRights = "ReadAndExecute"
$type = "Allow"
# Create new rule
$fileSystemAccessRuleArgumentList = $identity, $fileSystemRights, $type
$fileSystemAccessRule = New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule -ArgumentList $fileSystemAccessRuleArgumentList
# Apply new rule
$NewAcl.SetAccessRule($fileSystemAccessRule)
Set-Acl -Path "<PATH_TO_LOG_FILE>" -AclObject $NewAcl
Collection configuration and app installationβ
As part of data collection setup and app installation, you can select the App from App Catalog and click on Install App. Follow the steps below.
Step 1: Set up Collectorβ
If you want to use an existing OpenTelemetry Collector, you can skip this step by selecting the Use an existing Collector option.
To create a new Collector:
- Select the Add a new Collector option.
- Select the platform where you want to install the Sumo Logic OpenTelemetry Collector.
This will generate a command that you can execute in the machine environment you need to monitor. Once executed, it will install the Sumo Logic OpenTelemetry Collector.
Step 2: Configure integrationβ
In this step, you will configure the yaml required for Apache Collection.
Below are the inputs required:
- Endpoint. The URL of the httpd status endpoint (default:
http://localhost:8080/server-status?auto). - Access File log Path. Enter the path to the Access log file for your Apache instance.
- Error file log path. Enter the path to the error log file for your Apache instance.
- Fields.
webengine.cluster.name.
You can add any custom fields which you want to tag along with the data ingested in Sumo. Click on the Download YAML File button to get the yaml file.
Step 3: Send logs and metrics to Sumo Logicβ
Once you have downloaded the YAML file as described in the previous step, follow the below steps based on your platform.
- Linux
- Windows
- macOS
- Chef
- Ansible
- Puppet
- Copy the yaml to
/etc/otelcol-sumo/conf.d/folder for the Apache instance which needs to be monitored. - Restart the collector using:
Β sudo systemctl restart otelcol-sumo
- Copy the yaml to
C:\ProgramData\Sumo Logic\OpenTelemetry Collector\config\conf.dfolder in the machine which needs to be monitored. - Restart the collector usingΒ
Restart-Service -Name OtelcolSumo
- Copy the yaml to /etc/otelcol-sumo/conf.d/ folder in the Apache instance which needs to be monitored.
- Restart the otelcol-sumo process using the below command:
Β otelcol-sumo --config /etc/otelcol-sumo/sumologic.yaml --config "glob:/etc/otelcol-sumo/conf.d/*.yaml"
- Copy the yaml file into your Chef cookbook files directory
files/<downloaded_yaml_file>. - Use a Chef file resource in a recipe to manage it.
cookbook_file '/etc/otelcol-sumo/conf.d/<downloaded_yaml_file>' do mode 0644 notifies :restart, 'service[otelcol-sumo]', :delayed end - Add the recipe to your collector setup to start collecting the data. Every team typically has their established way of applying the Chef recipe. The resulting Chef recipe should look something like:
cookbook_file '/etc/otelcol-sumo/conf.d/<downloaded_yaml_file>' do
mode 0644
notifies :restart, 'service[otelcol-sumo]', :delayed
end
- Place the file into your Ansible playbook files directory.
- Run the Ansible playbook.
ansible-playbook -i inventory install_sumologic_otel_collector.yaml
-e '{"installation_token": "<YOUR_TOKEN>", "collector_tags": {<YOUR_TAGS>}, "src_config_path": "files/conf.d"}'
- Place the file into your Puppet module files directory
modules/install_otel_collector/files/<downloaded_yaml>. - Use a Puppet file resource to manage it.
file { '/etc/otelcol-sumo/conf.d/<downloaded_yaml_file>':
ensure => present,
source => 'puppet:///modules/install_otel_collector/<downloaded_yaml_file>',
mode => '0644',
notify => Service[otelcol-sumo],
} - Apply the Puppet manifest. Every team typically has their established way of applying the Puppet manifest. The resulting Puppet manifest should look something like:
node 'default' {
class { 'install_otel_collector'
installation_token => '<YOUR_TOKEN>',
collector_tags => { <YOUR_TAGS> },
}
service { 'otelcol-sumo':
provider => 'systemd',
ensure => running,
enable => true,
require => Class['install_otel_collector'],
}
file { '/etc/otelcol-sumo/conf.d/<downloaded_yaml_file>':
ensure => present,
source => 'puppet:///modules/install_otel_collector/<downloaded_yaml_file>',
mode => '0644',
notify => Service[otelcol-sumo],
}
}
After successfully executing the above command, Sumo Logic will start receiving data from your host machine.
Click Next. This will install the app (dashboards and monitors) to your Sumo Logic Org.
Dashboard panels will start to fill automatically. It's important to note that each panel fills with data matching the time range query and received since the panel was created. Results won't immediately be available, but within 20 minutes, you'll see full graphs and maps.
Sample log messagesβ
192.168.29.177 - - [26/Apr/2021:12:18:32 +0530] "GET /server-status HTTP/1.1" 404 196
[Mon Apr 26 09:52:58.188858 2021] [core:notice] [pid 530] AH00094: Command line: '/usr/sbin/httpd -D FOREGROUND'
Sample queriesβ
Logsβ
This sample Logs Query is from the Top 5 Clients Causing 4xx Errors panel of the Apache - Web server Operations dashboard.
webengine.system=apache webengine.cluster.name=* HTTP (40* OR 41* OR 42* OR 43* OR 44* or 45* or 49*)
| json "log" nodrop | if (_raw matches "{*", log, _raw) as mesg
| parse regex field=mesg "^(?<src_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" nodrop
| parse regex field=mesg "(?<method>[A-Z]+)\s(?<url>\S+)\sHTTP\/[\d\.]+[\\n]*\"\s(?<status_code>\d+)\s(?<size>[\d-]+)" nodrop
| parse regex field=mesg "(?<method>[A-Z]+)\s(?<url>\S+)\sHTTP\/[\d\.]+[\\n]*\"\s(?<status_code>\d+)\s(?<size>[\d-]+)\s\"(?<referrer>.*?)\"\s\"(?<user_agent>.+?)\".*" nodrop
| where status_code matches "4*"
| count as count by src_ip
| sort count, src_ip asc
| limit 5
Metricsβ
Here's a sample Metrics query from the Request State Analysis dashboard > Waiting panel:
sumo.datasource=apache metric=apache.scoreboard state=waiting webengine.cluster.name=* webengine.node.name=* | sum by webengine.cluster.name
Sample Metricsβ
{
"queryId":"A",
"server_name":"localhost",
"_source":"apache-otel-metric",
"state":"dnslookup",
"webengine.cluster":"apache_otel_cluster",
"sumo.datasource":"apache",
"deployment.environment":"user_apache_env",
"_contentType":"Carbon2",
"metric":"apache.scoreboard",
"_collectorId":"000000000C9802CD",
"_sourceId":"0000000042E3AAB3",
"webengine.system":"apache",
"unit":"{workers}",
"_collector":"Labs - apache-otel",
"max":100,
"min":0,
"avg":18.64,
"sum":1100,
"latest":1,
"count":59
}
Viewing Apache dashboardsβ
Overviewβ
The Apache - Overview Dashboard provides an at-a-glance view of the activity and health of the Apache web server farms, and servers by monitoring uptime, requests, response, traffic, visitor geographic locations, and critical error messages.
Use this dashboard to:
- Get an at-a-glance view of the state of all your Apache web servers.
- Identify the top URLs causing errors.
- Identify the top critical error messages.
Error Log Analysisβ
The Apache - Error Log Analysis dashboard provides a high-level view of error log levels, clients causing errors, critical error messages and trends.
Use this dashboard to:
- Quickly identify critical errors affecting your Apache web servers.
- Analyze types and patterns of log messages in your Apache web servers.
- Identify clients causing the most errors.
- Monitor trends in error logs and identify outliers.
Trendsβ
The Apache - Trends dashboard provides trends around HTTP responses, server hits, visitor locations, traffic volume and distribution.
Use this dashboard to:
- Monitor trends and identify outliers.
Outlier Analysisβ
The Apache - Outlier Analysis dashboard helps you quickly identify outliers for key Apache metrics such bytes served, number of visitors, server errors, and client errors.
Use this dashboard to:
- Automatically detect outliers in the operations of your Apache web servers and take corrective actions if needed.
Threat Analysisβ
The Apache - Threat Analysis dashboard provides an at-a-glance view of incoming threats to your Apache servers based on known malicious IP addresses.
Dashboard panels show threat counts, geographic locations, actors, threat severity, URLS accessed.
Use this dashboard to:
- Identify threats from incoming traffic based on incoming client IP addresses and discover potential IOCs.
Visitor Locationsβ
The Apache - Visitor Locations dashboard provides a high-level view of Apache visitor geographic locations both worldwide and in the United States.
Use this dashboard to:
- Get insights into geographic locations of your user base.
Visitor Access Typesβ
The Apache - Visitor Access Types dashboard provides insights into visitor platform types, browsers, device types, and operating systems.
Use this dashboard to:
- Understand which platform and browsers are being used to access your applications.
Visitor Traffic Insightβ
The Apache - Visitor Traffic Insight dashboard provides summarized information on the top URLs, referrers, search terms, and media types served.
Use this dashboard to:
- Understand content types of content that are frequently requested by users.
Web Server Operationsβ
The Apache - Web Server Operations dashboard provides an at-a-glance view of the operations of your Apache web servers. Dashboard panels show information on bots, geographic locations, errors, and URLs.
Use this dashboard to:
- Get insights into client locations, bots, and response codes.
Request State Analysisβ
The Apache - Request State Analysis dashboard shows trends around the state of incoming requests to your Apache web servers.
Use this dashboard to:
- Monitor the state of requests being handled by worker threads over time and take remedial actions to optimize your web servers if needed.
Server Statusβ
The Apache - Server Status dashboard shows information related to the state of your Apache server and includes information such as requests and bytes served and latency. information on the number of requests served, time taken to serve the request, and bytes served.
Use this dashboard to:
- Monitor server uptime.
- Monitor web server performance.
