Announcement

Collapse
No announcement yet.

Server-wide Apache logs

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Server-wide Apache logs

    I know I can go into each site in Siteworx or each folder in /home/ to get to each site's Apache logs. That gets awfully tedious when I'm trying to figure out what site is being attacked, causing a huge spike in httpd and mysql load on the system.

    Within an hour of reboot, my load was 342. Turn httpd off and everything is fine.

  • #2
    Hi Johan-hammy

    You could always ssh into your server, run top to see which site is using the resource, then take action as you need by disabling that site and then look at the site stats etc...

    You could always look at apache status from nodeworx system services web server and also as MySQL is involved, look at MySQL to see which site is using the processes

    I prefer top as it show the top users

    I hope that helps a little

    Many thanks

    John

    Comment


    • #3
      Originally posted by d2d4j View Post
      Hi Johan-hammy

      You could always ssh into your server, run top to see which site is using the resource, then take action as you need by disabling that site and then look at the site stats etc...

      You could always look at apache status from nodeworx system services web server and also as MySQL is involved, look at MySQL to see which site is using the processes

      I prefer top as it show the top users

      I hope that helps a little

      Many thanks

      John
      How would top help? BTW: top is what showed me that MySQL and httpd were using a lot of resources.

      System services has a processes\clients graph for httpd, but I don't think there's a lot of detail there. It has how many processes, but not really what those processes are doing.

      System services does say what the current commands are for MySQL, so I've re-enabled that domain so I can see what shows up. So far it's the "sleep" command, but the server isn't under a lot of load yet.


      I think a centralized httpd log is critical. I could then run Fail2ban server-wide without having to spin up separate jails or an array of logfiles for the different sites. Then it's just up to me to come up with an appropriate regex.

      Comment


      • #4
        Hi Johan-hammy

        Top shows the php-fpm and unix name which greatly helps in narrowing the site. It either shows a site php taking a long time or there would be a lot of calls to the php from same site

        It is only a tip which may help as it has certainly helped me in the past to very quickly identify the site, and to help further, you could kill the pid without restarting apache

        Many thanks

        John

        Comment


        • #5
          Next time it flares up, I'll copy and paste all of top's output instead of the first few lines.

          Comment


          • #6
            Hi Johan-hammy

            If it helps to see better what I mean, please see picture. Although this is taken from top, and no site is under attack or causing issues, it shows you how quickly it can identify a site from the unix name (changed for obvious reasons), and you can see it is using php-fpm and shows cpu usage.

            As I said, it is a very quick way to help narrow the search to the site causing issues, and can quickly bring httpd back into normal load by disabling the siteworx account and killing the pid's used by the site (kill -9 pid)

            Many thanks

            John Click image for larger version

Name:	top-quick.png
Views:	1
Size:	5.7 KB
ID:	44306

            Comment


            • #7
              Originally posted by d2d4j View Post
              Hi Johan-hammy

              If it helps to see better what I mean, please see picture. Although this is taken from top, and no site is under attack or causing issues, it shows you how quickly it can identify a site from the unix name (changed for obvious reasons), and you can see it is using php-fpm and shows cpu usage.

              As I said, it is a very quick way to help narrow the search to the site causing issues, and can quickly bring httpd back into normal load by disabling the siteworx account and killing the pid's used by the site (kill -9 pid)

              Many thanks

              John Click image for larger version

Name:	top-quick.png
Views:	1
Size:	5.7 KB
ID:	44306
              Mine all just say apache. Maybe it's the Interworx site itself, as opposed to any clients?

              Comment


              • #8
                Hi JOhan-hammy

                I see thank you

                Do any of your siteworx accounts use php

                Also,interworx would usually show as iworx or iworx-db, so it has most likely has to be httpd or root, but some of the below commands for ssh may spread a little light onto what is using httpd

                I would also log into nodeworx, system services, web server, server status which should show the usage and requests taking place. This maybe the better option for you

                I hope that helps a little

                Many thanks

                John

                systemctl status httpd

                ps
                ps -eo comm,etime,user | grep httpd
                ps -eo comm,etime,user | grep root | grep httpd

                Comment


                • #9
                  Originally posted by d2d4j View Post
                  Hi JOhan-hammy

                  I see thank you

                  Do any of your siteworx accounts use php

                  Also,interworx would usually show as iworx or iworx-db, so it has most likely has to be httpd or root, but some of the below commands for ssh may spread a little light onto what is using httpd

                  I would also log into nodeworx, system services, web server, server status which should show the usage and requests taking place. This maybe the better option for you

                  I hope that helps a little

                  Many thanks

                  John

                  systemctl status httpd

                  ps
                  ps -eo comm,etime,user | grep httpd
                  ps -eo comm,etime,user | grep root | grep httpd
                  I'll take a look when load goes up again. This afternoon I had an issue of low swap space, so I restarted the httpd service.

                  I came across that server status page elsewhere. I'll look at it more closely when something happens again.

                  Comment

                  Working...
                  X