6.1 Ensure the Error Log Filename and Severity Level Are Configured Correctly - ErrorLog

Information

The LogLevel directive is used to configure the severity level for the error logs. While the ErrorLog directive configures the error log file name. The log level values are the standard syslog levels of emerg, alert, crit, error, warn, notice, info and debug. The recommended level is notice for most modules, so that all errors from the emerg level through notice level will be logged. The recommended setting for the core module is info so that any not found requests will be included in the error logs.

Rationale:

The server error logs are invaluable because they can also be used to spot any potential problems before they become serious. Most importantly, they can be used to watch for anomalous behavior such as a lot of not found or unauthorized errors may be an indication that an attack is pending or has occurred. Starting with Apache 2.4 the error log does not include the not found errors except at the info logging level. Therefore, it is important that the log level be set to info for the core module. The not found requests need to be included in the error log for both forensics' investigation and host intrusion detection purposes. Monitoring the access logs may not be practical for many web servers with high volume traffic.

Solution

Perform the following to implement the recommended state:

Add or modify the LogLevel in the Apache configuration to have a value of info or lower for the core module and notice or lower for all other modules. Note that is it is compliant to have a value of info or debug if there is a need for a more verbose log and the storage and monitoring processes are capable of handling the extra load. The recommended value is notice core:info.

LogLevel notice core:info

Add an ErrorLog directive if not already configured. The file path may be relative or absolute, or the logs may be configured to be sent to a syslog server.

ErrorLog "logs/error_log"

Add a similar ErrorLog directive for each virtual host configured if the virtual host will have different people responsible for the web site. Each responsible individual or organization needs access to their own web logs and needs the skills/training/tools for monitoring the logs.

Default Value:

The following is the default configuration:

LogLevel warn

ErrorLog "logs/error_log"

See Also

https://workbench.cisecurity.org/files/4548