Awstats cannot process /var/log/apache2/access.log file by default / Awstats cannot open Apache server log file on Debian by default and how to fix that

Monday, 12th April 2010

By default the permissions of /var/log/apache2/ are as shown below:

drwxr-x--- 2 root adm 4096 Mar 21 14:18 /var/log/apache2/

This is quite restrictive, awstats runs by default with the www-data user which is actually the user name used by Apache webserver on Debian platform.
Therefore Awstats cannot swith to the /var/log/apache2/ directory and consequently cannot process the apache access.log file which by the way again has restrictive permissions as you can see below:

-rw-r----- 1 root adm 0 Sep 23 2009 access.log

Thus it’s necessery to work out the default Debian restrictive permissions to the Apache webserver logs to “allow” Awstats to be able to access the log files and consequently generate it’s statistics.

To do that you have to allow all users to have a read access over both /var/log/apache2/access.log and /var/log/apache2/error.log otherwise you will receiver errors like:

debian:~# sudo -u www-data /usr/bin/perl /usr/lib/cgi-bin/awstats.pl -update -config=mydomain.org

Create/Update database for config “/etc/awstats/awstats.mydomain.org.conf” by AWStats version 6.7 (build 1.892)
From data in log file “/var/log/apache2/access.log”…
Error: Couldn’t open server log file “/var/log/apache2/access.log” : Permission denied
Setup (‘/etc/awstats/awstats.mydomain.org.conf’ file web server or permissions) may be wrong.
Check config file permissions and AWStats documentation (in ‘docs’ directory).
debian:~#

So now to let’s set some permissions to allow the www-data user to be able to access /var/log/apache2.
First way to do that is via executing:

debian:~# chmod 755 -R /var/log/apache2/*

This however from a security stand point is a complete bull-shit, that way everybody that has a physical ssh account on the server will be able to read your /var/log/apache2/.
Therefore you might try something else like for example:

debian:~# chown 754 /var/log/apache2
After which you have to change the permissions for /var/log/apache2/access.log and /var/log/apache2/error.log to:
debian:~# chown 644 /var/log/apache2/access.log /var/log/apache2/error.log

Even if you do that, if /var/log/apache2/access.log and /var/log/apache2/error.log is the only log files on your webserver soon the permissions will broke once again, after the periodical logrotate is executed via the cron daemon.
To get around this annoyance you have to edit your /etc/logrotate.d/apache2 conf file and change substitute:

create 640 root adm
with
create 644 root adm

Well that’s all, all left is to wait that the awstats is executed one more time through crond.
If you want to modify something to the way awstats is invoked via cron you have to edit:

/etc/cron.d/awstats

Now hopefully your awstats should work just perfectly fine 🙂

Share this on:

Download PDFDownload PDF

Tags:

5 Responses to “Awstats cannot process /var/log/apache2/access.log file by default / Awstats cannot open Apache server log file on Debian by default and how to fix that”

  1. mimo says:
    Firefox 3.6.3 Firefox 3.6.3 Ubuntu 10.04 x64 Ubuntu 10.04 x64
    Mozilla/5.0 (X11; U; Linux x86_64; en-GB; rv:1.9.2.3) Gecko/20100423 Ubuntu/10.04 (lucid) Firefox/3.6.3

    Why not like this:

    /etc/logrotate.d/apache2
    create 640 root www-data

    chmod 2755 /var/log/apache2/
    chgrp -R www-data /var/log/apache2/

    View CommentView Comment
  2. sixerjman says:
    Google Chrome 14.0.835.202 Google Chrome 14.0.835.202 GNU/Linux GNU/Linux
    Mozilla/5.0 (X11; Linux i686) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1

    Perfect. The setgid on the directory solves the problem of all future files being created in the directory being anything other than group www-data. Thanks.

    View CommentView Comment

Leave a Reply

CommentLuv badge