6

For some development servers, I want to make all the Apache log files accessible via the web so developers can more easily debug. I've figured out how to modify the Apache site config to make the default /var/log/apache2 directory accessible, but unless I manually chmod the directory to be accessible to Apache's www-data user, the files return the "Forbidden" error.

It looks like, by default on Ubuntu, Apache writes its logs with user root and group adm. How do I change this to user group www-data so web users can read them?

Googling this, some have suggested editing the value for APACHE_RUN_GROUP in /etc/apache2/envvars, but this is already set to www-data.

Cerin
  • 3,650
  • 20
  • 63
  • 79

2 Answers2

9

Beware that IP addresses can be protected identifiers in some jurisdictions. And other things that would be better to not be public. Secure production log files, perhaps visible to operations staff only to start.

In addition to chgrp www-data /var/log/apache2 you need to preserve the ownership of the log file as it is rotated. For Ubuntu, edit /etc/logrotate.d/apache2 to have a create directive readable by the web server, such as create 640 root www-data

As previously seen on Server Fault: How to make apache log files readable by apache

What you really could use is a centralized log aggregation system that ingests logs and slices and dices them. Any popular one will have a means of parsing httpd logs.

John Mahowald
  • 33,256
  • 2
  • 21
  • 39
0

As previous answer, putting logs in public internet is not a good idea. I use http://pimpmylog.com/ that secure access to logs and it is really nice visually. The advantage is that you don't need to move the default log location or permissions. And yes, you can have them secured with users (as many as you want) and you even have Access token to read remotely. It can read all sort of logs. Also browser notification on log change, and auto refresh. What a nice piece of code from Potsky, thanks to him .

Valentin R.
  • 1