0

We have setup a system for central logging with the ELK stack (Elastic, Logstash, Kibana). Our shippers (clients) are fluentd that sends massive amount of log data to the ELK. Before fluentd traffic hits logstash it goes through an Apache httpd reverse proxy. It works very well, but we've noticed that the Apache httpd access log is spammed with entries for the fluentd access, like:

10.x.y.z - fluentd [02/Aug/2018:10:31:12 +0200] "POST /elasticsearch/_bulk HTTP/1.1" 200 6471

We've been testing If blocks to set a variable "dontlogme" and then configured the AccessLog with !dontlogme . This works, if we match for example the User-Agent. But it does not work if we try to make the condition based on (logged in) username.

What we want to achive is: if username (coming from Basic Auth) is "fluentd", dont log the request in access.log .

Is there anyone out there, that have succeeded with this?

Improve this question

2 Answers 2

Reset to default
1

If Apache really is incapable of inspecting the "Authorization" header, you can always pipe your access log (as if you were using rotatelogs) through a shell script that filters the fluentd lines.

CustomLog "|/usr/local/bin/nofluentd.sh" combined

And the nofluentd.sh script something like:

#! /usr/bin/ksh awk '$3 != "fluentd"' | /usr/bin/rotatelogs -n 7 /var/log/apache2/access.log 86400
Improve this answer
4
  • Wow! Can you actually pipe the log to an external command? Great suggestion. I will try that! Commented Aug 2, 2018 at 11:40
  • You complain about logs growing out of bounds, but you don't know rotatelogs? I will have a look at SetEnvIfExpr. Commented Aug 2, 2018 at 11:45
  • I know rotatelogs. What I don't know is how to ignore logging of a specific user. I don't want the fluentd user access to be logged at all. The reason is that we have a lot of servers "spamming" the access.log with "POST /elasticsearch/_bulk HTTP/1.1" messages. Totally useless for us to have in logs, and I found a way to ignore the URI /eleasticsearch/_bulk , but that seemed to be stupid as that also would ignore logging of non-authenticated users (as well as other authenticated users). SetEnvIf does not work for Basic Authenticated user names, I'll tried.. alot. Commented Aug 2, 2018 at 12:04
  • I'm trying myself. "Geduld", as we say. Commented Aug 2, 2018 at 12:52
0

As I suspected, Apache has no problem checking the Authorization header with SetEnvIfExpr, after which you can use conditional logging, eg. I created a user fluentd with password haltingd, Apache config as follows:

SetEnvIfExpr "req('Authorization') == 'Basic Zmx1ZW50ZDpoYWx0aW5nZA=='" \ user_fluentd CustomLog "|/usr/bin/rotatelogs -n 7 ${APACHE_LOG_DIR}/druptest.log 86400" \ combined env=!user_fluentd

Zmx1ZW50ZDpoYWx0aW5nZA== is simply fluentd:haltingd base64 encoded, what a browser will send for basic authentication.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.