Last Updated: February 25, 2016
· willolbrys

Processing Apache Log Files in Graphite

After messing around looking for a tool chain that would let us import Apache access_log statistics from a growing number of web machines into Graphite I've settled on rsyslog and etsy's logster. It's really quite simple and applicable to all sorts of logging problems. Here's a quick rundown of how it works.

Your apache configuration needs to utilize the logger utility. You can read more about it here but its available all over the dang place.

In your Apache conf you'll need to edit your logging to something like this:

CustomLog /path/to/access_log foobar
CustomLog "|/path/to/logger -t httpd -p" foobar
CustomLog /path/to/access_log foobar

In your /etc/rsyslog.conf all you need is a simple forwarder for httpd.

if $programname == 'httpd' then

If you notice /var/log/messages is filling up with your access_log messages you need to include 'local6.none' on the rsyslogl.conf line defining /var/log/messages.

Now you need to collect all the stats some place. Configure another machine running rsyslog (at to receive those log events.
Paste this at the end of your rsyslog.conf:

# process remote messages
# define new ruleset and add rules to it:
$RuleSet remote
if $programname == 'httpd' then /path/to/my/unified.log
# bind ruleset to tcp listener
$InputTCPServerBindRuleset remote
# and activate:
$InputTCPServerRun 10512

Cool, that's pretty much it for pulling in the logs. Now you'll want to install etsy's logster on the log-capturing machine from their github repo.

And add this Apache log parser I modified from their example to parse your logs.

I hope this was easy to follow. If you're looking for any further reading you can try this loggly wiki page:

or the rsyslog documentation:

. Thanks!