Detections
Analytics

6.1 Ensure the Error Log Filename and Severity Level Are Configured Correctly - 'httpd.conf LogLevel = notice info or debug'

Information

The 'LogLevel' directive is used to configure the severity level for the error logs, while the 'ErrorLog' directive configures the error log filename. The log level values are the standard syslog levels of 'emerg', 'alert', 'crit', 'error', 'warn', 'notice', 'info' and 'debug'. The recommended level is 'notice', so that all errors from the 'emerg' level through the 'notice' level will be logged.

Rationale:

The server error logs are invaluable because they can be used to spot potential problems before they become serious. Most importantly, they can be used to watch for anomalous behavior such as numerous 'not found' or 'unauthorized' errors that may be an indication an attack is pending or has occurred.

**IMPORTANT NOTE:**

The Apache htttpd server stopped including '404 not found' errors in its error log several years ago. Not including the 404 errors may cause log monitoring and host intrusion detection and prevention software to miss web scanning attacks which cause a large number of 'not found' errors, and may fail to block the attack. For Apache 2.4 benchmark we have recommended using ''notice core:info'' in order to pick up the 404 errors. However, in Apache 2.2, the 'LogLevel' directive doesn't support multiple levels. So the same recommended solution is not available. There are three alternatives to consider:
1. Set the 'LogLevel' to info - However this may create excessive logs, especially for TLS connections. The excessive logs may overwhelm the log monitoring processes.
2. Adapt the log monitoring and IDS to monitor the access logs. Which are much more frequent and may also overwhelm the log monitoring system.
3. Upgrade to Apache 2.4.

For historical context:
- A useful discussion which includes a justification by the bug fix author for the not found log level change. [https://stackoverflow.com/questions/36568205/404-error-doesnt-appear-in-apache-error-log](https://stackoverflow.com/questions/36568205/404-error-doesnt-appear-in-apache-error-log)
- The Apache 'bug fix' that caused the change in logging 404 not found errors is available at [https://bz.apache.org/bugzilla/show_bug.cgi?id=35768](https://bz.apache.org/bugzilla/show_bug.cgi?id=35768)

Solution

Perform the following to implement the recommended state:

1. Add or modify the 'LogLevel' in the Apache configuration to have a value of 'notice' or lower. Note that is it is compliant to have a value of 'info' or 'debug' if there is a need for a more verbose log and the storage and monitoring processes are capable of handling the extra load. The recommended value is 'notice'.

 LogLevel notice

2. Add an 'ErrorLog' directive if not already configured. The file path may be relative or absolute, or the logs may be configured to be sent to a syslog server.

 ErrorLog 'logs/error_log'

3. Add a similar 'ErrorLog' directive for each virtual host configured if the virtual host will have different people responsible for the web site. Each responsible individual or organization needs access to their own web logs.

See Also

https://workbench.cisecurity.org/files/2378

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-3, 800-53|AU-12, CSCv6|6.2, CSCv7|6.2, CSCv7|6.3

Plugin: Unix

Control ID: f12b24d2f0402769c966bd0938133585acfe3591f0305913f3f6219ba63fb061