Home / server / Questions / 473854
Accepted
Synetech
Asked: 2013-01-31 07:10:10 +0800 CST

Benefits of Separate Over Combined Apache Logs?

  • 772

I was wondering if there are any benefits or common use-cases in which using separate Apache logs (access, agent, error, and referer) is better than using a single combined log file. I tried Googling it, but it seems that an analysis has not really been done on this particular dilemma.

Traditionally I have used separate ones simply because it made sense to separate data into groups (of course in another way, it is actually splitting grouped data; i.e., any given access is being split into multiple pieces—which means viewing four files at the same time and trying to keep them synchronized to the same timestamp).

I haven’t used too many log analyzers, but I suspect that at least some work better (or at all) with combined logs.

So is there a good reason to use separate over combined?

apache-2.2

2 Answers

  1. I use different logs to separate key subjects which are running on the same server but are of totally different purpose (i.e. different sites or different type of security / sensitivity) as I find it easier to inspect, review and analyze as it cuts down the noise.

    You could achieve similar results using grep too obviously.

    • 1
  2. Best Answer

    This is really a personal call that you have to make based on your environment and the way you work. There are advantages and disadvantages to both.

    The major advantage of a combined log (everything going to one file) is that it's written out contemporaneously: If an error occurs you see it right under the "access" line (the request) that caused it.
    This can make troubleshooting a little easier if you don't have a huge volume of requests.

    Conversely, separate log files makes sense whenever the volume of entries is so large as to be overwhelming when trying to troubleshoot a problem.

    The "traditional" division for Apache is access and error logs --

    • The Access log contains all the requests the server received (and the response codes it sent back), and sometimes additional useful bits like SSL Protocol, etc..
    • The Error log contains, as its name implies, errors (CGI/PHP/etc. failures, exceptions, stack prints, debugging output).

    When you're hunting down a problem you watch the error log and provoke the problem, and you get just the errors (as opposed to the error plus all the GET requests for CSS files, Javascript, images, etc. that your browser went to download before you reached the part where things crash).

    You can take this further to an extreme (separate Access, Agent, Referrer, SSL, etc. logs), but personally I see no need to do that. The traditional "Error" and "Access" (everything that isn't an error) logging is what you'll see in most deployments.

    There may be a reason to keep additional dedicated logs for referrers, etc. if you're doing analysis or statistics, or you may omit that information from the Access log if you don't care about it, but I wouldn't subdivide logs to the point where you have to look in more than 2 places to troubleshoot a problem. That just winds up making more work for you.

    • 1