8.4. Logging Strategies

After covering the mechanics of logging in detail, one question remains: which strategy do we apply? That depends on your situation and no single perfect solution exists. Use Table 8-8 as a guideline.

Table 8-8. Logging strategy choices

Logging strategy	Situations when strategy is appropriate
Writing logs to the filesystem	When there is only one machine or where each machine stands on its own. If you are hosting static web sites and the web server is not viewed as a point of intrusion.
Database logging	You have a need for ad hoc queries. If you are afraid the logging database might become a bottleneck (benchmark first), then put logs onto the filesystem first and periodically feed them to the database.
Syslog logging	A syslog-based log centralization system is already in place.
Syslog logging with Syslog-NG (reliable, safe)	Logs must be transferred across network boundaries and plaintext transport is not acceptable.
Manual centralization (SCP, SFTP)	Logs must be transferred across network boundaries, but you cannot justify a full Syslog-NG system.
Spread toolkit	You have a cluster of servers where there are several servers running the same site. All other situations that involve more than one machine.

Here is some general advice about logging:

• Think about what you want from your logs and configure Apache accordingly.

• Decide how long you want to keep the logs. Decide at the beginning instead of keeping the logs forever or making up the rules as you go.

• You will be storing the logs on a filesystem somewhere, so ensure the filesystem does not overflow. To do this, delete the logs regularly.

• At the same time, put the log files on their own partition. That way, even if the partition overflows, the rest of the system will continue to function.