19

I want to debug some authentication & authorization issues on my webserver, particularly with mod_authnz_ldap and other mod_auth* modules.

So I set LogLevel debug in the Apache configuration, either globally or for a single VirtualHost. This provides me with useful information from mod_authnz_ldap , but it also spews out a ton of noise from the SSL modules. See below for an example.

Is there a way to reduce the LogLevel for ssl_engine* , while still maintaining the loglevel for mod_authnz_ldap?

Yes, I could exclude the lines using something like grep -v ssl_engine logfile, but I also want to exclude this extra data from some other syslog parsing tools. I would rather reduce the logging from the source, instead of excluding it at the destination.

[Tue Jul 06 16:55:31 2010] [debug] ssl_engine_io.c(1830): | 0100: 12 23 e7 0f 45 1f 1f d3-ed 12 f8 12 1f a9 90 85  .+..(........... |
[Tue Jul 06 16:55:31 2010] [debug] mod_authnz_ldap.c(474): [client 10.10.10.123] [96991] auth_ldap authenticate: accepting joe
[Tue Jul 06 16:55:31 2010] [debug] mod_authnz_ldap.c(730): [client 10.10.10.123] [96991] auth_ldap authorise: require group: authorisation successful (attribute memberUid) [Comparison true (cached)][Compare True]
[Tue Jul 06 17:02:17 2010] [debug] ssl_engine_io.c(1830): | 0023: 23 ff 29 5a 4b bd 4c e6-bc 36 22 9c c3 22 c2 4b  ..)ZK.L..6u....K |
[Tue Jul 06 17:02:17 2010] [debug] ssl_engine_io.c(1830): | 0023: 23 ff 29 5a 4b bd 4c e6-bc 22 75 9c c3 b6 22 4b  ..)blahblah|
Stefan Lasiewski
  • 23,667
  • 41
  • 132
  • 186

1 Answers1

18

I'm answering my own question, Jeopardy Style.

Apache 2.3

This is possible in Apache 2.3.

Apache > HTTP Server > Documentation > Version 2.4 > Per-module logging says:

Per-module logging

The LogLevel directive allows you to specify a log severity level on a per-module basis. In this way, if you are troubleshooting a problem with just one particular module, you can turn up its logging volume without also getting the details of other modules that you're not interested in. This is particularly useful for modules such as mod_proxy or mod_rewrite where you want to know details about what it's trying to do.

Do this by specifying the name of the module in your LogLevel directive:

LogLevel info rewrite:trace5

This sets the main LogLevel to info, but turns it up to trace5 for mod_rewrite.

This replaces the per-module logging directives, such as RewriteLog, that were present in earlier versions of the server.

Overview of new features in Apache HTTP Server 2.4 say:

Per-module and per-directory LogLevel configuration The LogLevel can now be configured per module and per directory. New levels trace1 to trace8 have been added above the debug log level.

Also see the discussion on the Apache-dev mailinglist.

Apache 2.2 & Earlier:

No, this is not currently possible in Apache 2.2. The manual at HTTP Server > Documentation > Version 2.2 > Modules "LogLevel Directive" does not show this option. The only option currently is to "grep -v" the offending lines.

Apache 2.4 (proposed at time of writing):

This will be included with Apache 2.4. The Apache docs in the trunk (2.3) currently say:

Compatibility: Per-module and per-directory configuration is available in Apache HTTP Server 2.3.6 and later

And:

Specifying a level without a module name will reset the level for all modules to that level. Specifying a level with a module name will set the level for that module only. It is possible to use the module source file name, the module identifier, or the module identifier with the trailing _module omitted as module specification. This means the following three specifications are equivalent:

LogLevel info ssl:warn
LogLevel info mod_ssl.c:warn
LogLevel info ssl_module:warn
slebetman
  • 163
  • 6
Stefan Lasiewski
  • 23,667
  • 41
  • 132
  • 186