NOTICE! The following is an unsupported workaround for Cobalt web servers. Implementing this workaround may void your Cobalt warrantee. Therefore Urchin Software does not recommend its use. The following documentation is provided as a reference tool only.
Cobalt maintains a single "access" log for the server. Part of the log management mechanism for all Cobalt servers requires that a script run based on a special configuration file to parse the access log into separate domain log files. This process is configured in a way that restricts modification of the "access" log format via the Apache configuration file "httpd.conf."
If you want to use the UTM module with Urchin 4, you must edit Cobalt's Apache configuration file without compromising the existing access log file. In preliminary tests, we have successfully added a line to the httpd.conf file that creates a duplicate "access" log file under another name. Since the Cobalt server does not use that file, it will not have any impact on the existing log rotation mechanism.
Editing the httpd.conf file:
You can find the httpd.conf file in
/etc/httpd/conf/httpd.conf
Using a text editor, open the httpd.conf file and locate the
LogFormat settings.
Add the following line to the existing LogFormat entries:
LogFormat "%h %v %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" \"%{Cookie}i\"" special
Now, under the current "CustomLog" entry, add the following
line:
CustomLog /var/log/httpd/urchin special
So, your CustomLog entries, should now look like this:
CustomLog /var/log/httpd/access combined
CustomLog /var/log/httpd/urchin special
Restart the web server from the control panel so the changes will take affect. Apache will immediately begin writing the new log file which will include all traffic to all domains on the server. The only difference will be the addition of the cookie data.
Setting up Profiles to Utilize the new UTM log: The standard setup for Urchin 4 on Cobalt allows you to use the individual web.log files which are created for each domain. In this scenario, you would have to use the same /var/log/httpd/urchin log for every profile. Each profile would have to use a filter to include "only" the hits that were directed to the domain in question.
For example, if my profile name is www.urchin.com, then my
profile filter would have the following parameters:
Filter Type: Include Pattern ONLY
Filter Field: Requested Host
Filter Pattern:
urchin\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\.com
All other aspects of the profile can be setup using the standard procedures outlined in the Urchin UTM document.
Note:
The newly created log will have to be periodically cleared
or it will grow daily without limitation. Therefore, it
will be necessary to implement a rotation of some sort. If
you simply wish to clear the contents periodically, the
following may be useful:
From the command line, while logged in as "root", create a
file with the following contents:
cp /dev/null /var/log/httpd/urchin
This file should have execute permissions for the 'root'
owner.
The file should be saved in the /etc/cron.daily/ directory.
Alternatively, you can save into /etc/cron.weekly.
Whichever you choose, it will be crucial to schedule Urchin
"around" this log maintenance routine. Cobalt runs all
files in the cron.daily and cron.weekly directories starting
at 4:00am. So, Urchin should be scheduled such that it
completes processing all UTM profiles before 4am. The
length of time it takes for Urchin to process is entirely
dependent on the size of the log files and complexity of the
configuration for each profile. DNS processing will also
impact this metric. So, you will have to run Urchin a few
times before adding the log maintenance routine to the
cron.daily directory.