It seems like by default Django logs errors to apache's error file. On Ubuntu and apache2 this file is /var/log/apache2/error.log and the permissions on the /var/log/apache2 directory is 750 with root as the owner and adm as the group. The permissions on the error.log file itself is 640 with root as the owner and adm as the group.
When errors occur, you can see the stack trace in the error.log file. I want to have django errors in a custom log file, not apache's error log, so I setup the logging config in settings.py. I have a /var/log/example directory and a /var/log/example/myapperrors.log file. I set the permissions exactly like apache2 log directory and error file. However, I get permission denied on the myapperrors.log file.
Related
I'm migrated from AL1 to AL2 on AWS Beanstalk. AL2 changed location of my nodejs.log to /var/log/{{.}}.stdout.log
I resolved this by adding ryslog.config to .ebexetensions:
files:
"/opt/elasticbeanstalk/config/private/rsyslog.conf.template":
mode: "000644"
owner: root
group: root
content: |
# This rsyslog file redirects Elastic Beanstalk platform logs.
# Logs are initially sent to syslog, but we also want to divide
# stdout and stderr into separate log files.
template(name="SimpleFormat" type="string" string="%msg%\n")
$EscapeControlCharactersOnReceive off
{{range .ProcessNames}}if $programname == '{{.}}' then {
*.=warning;*.=err;*.=crit;*.=alert;*.=emerg /var/log/nodejs/nodejs.log; SimpleFormat
*.=info;*.=notice /var/log/nodejs/nodejs.log; SimpleFormat
}
{{end}}
Above configuration is working but I have problem with log file permissions.
Directory /var/log/nodejs and nodejs.log file are only readable by root (chmod 600), and cloudwatch-agent can't read it. Changing permissions manually do the job, but how can I change the permissions to be created automatically on beanstalk deploy?
Adding the following code resolved it.
This will set the owner and group to the corresponding value, for all files that are automatically created.
# Set the default permissions for all log files
$umask 0022
$FileOwner cwagent
$FileGroup cwagent
$DirOwner cwagent
$DirGroup cwagent
I want to copy the audit file to log server, (CentOS 7)
When I put in /etc/rsyslog.conf:
audit.* #logserver:514
I get the error:
rsyslogd: unknown facility name "audit" [v8.24.0-41.el7_7.2]
When I trying to copy the audit log, as I do with apache log, I put:
$ModLoad imfile
$InputFileName /var/log/audit/audit.log
$InputFileTag tag_audit_log:
$InputFileStateFile audit_log
$InputFileSeverity info
$InputFileFacility local6
$InputRunFileMonitor
if $syslogtag == 'tag_audit_log' then #logserver:514
I get the error:
rsyslogd: imfile: on startup file '/var/log/audit/audit.log' does not
exist but is configured in static file monitor - this may indicate a
misconfiguration. If the file appears at a later time, it will
automatically be processed. Reason: Permission denied
[v8.24.0-41.el7_7.2]
The file exist:
# ls -lZ /var/log/audit/audit.log
-rw-------. root root system_u:object_r:auditd_log_t:s0 /var/log/audit/audit.log
How to make it work?
Thanks
I find the solution, I follow:
In /etc/syslog.conf I put
*.info #remote.syslog.example.com
In /etc/audisp/plugins.d/syslog.conf:
active = yes
systemctl restart rsyslog
service auditd restart
I'm using mod_wsgi (v.4.5.20), installed with pip, in daemon mode, using a "main" apache instance as front (reverse proxy). I'm serving a django application, the "main" server hosts some other applications.
I'ld like to record the log files to a "known" directory. For now, the log files are recorded into the directory generated by the daemon-mode, aka. --server-root directory. The process is launched through a systemd service.
On the "main" apache settings, I've set the ErrorLog and CustomLog directives to my "wanted" log directory, but no files are recorded.
The "main" apache settings: (Note the X-Forwarded-For switch for company reverse proxy)
https://gist.github.com/frague59/0c9717bd5668140de392019874373f0a
Thanks for your help !
When you use mod_wsgi-express behind a front end Apache serving as proxy, the mod_wsgi-express configuration is completely independent to the front end. If you want to change where logs go for mod_wsgi-express use the --log-directory option. Presuming mod_wsgi-express is started as not root user, it will not be able to write to a root owned directory. If it needed to, you would need to start it as root and define --user and --group options to then be what user and group you want the WSGI application to run as. Because it start as root initially, then it can write logs to a root owned directory. Run mod_wsgi-express with the --help option to see all the command line options.
I am having an issue with my Django Logger and after checking the Apache logs I can see that it is a permission error.
[Mon Dec 15 22:15:22 2014] [error] [client 134.226.38.233] ValueError:
Unable to configure handler 'file': [Errno 13] Permission denied:
'/var/www/bias_experiment/src/survey.log', referer:
http://phaedrus.scss.tcd.ie/bias_experiment/surveyone/
I changed the owner and group of the file (from me) to www-data with sudo chown www-data:www-data survey.log but this had no effect. Setting the write permissions to 777 gets rid of the error but I understand this is bad practice.
This answer to this question "Permission Denied when writing log file" has been very usefull but I do not understand one thing.
"You must make sure that the owner of the file is the service that's
trying to write something to it or that the file belongs to group of
the service or you'll get a permission denied error."
What is the name of the service or group that writes the Django Log file?
Setup:
Server: Ubuntu 12.04
Apache 2.2.22
mod_wsgi Version: 3.3-4ubuntu0.1
Python 2.7.3
Django 1.6
is the same user that run apache. it depends by the OS, common values are
www-data
httpd
you must grant write and execute privileges to the directory that 'contains' the file.
I've been searching throughout this site for a solution but haven't been able to find one. I have a CentOS 6.4 server with Apache 2.2.15, Django 1.6 and mod_wsgi 3.2. I am using Apache to display static files and mod_wsgi to display Django content.
I placed the Django project files in the /srv directory due to this page.
When I run the Django development server, the test page that I wrote up displays properly. However, when I start my Apache server and visit 127.0.0.1, I get a 403 Forbidden error.
django.wsgi (in /srv/mysite)
import os
import sys
envpath = '/usr/lib/python2.6/site-packages'
pwd = os.path.dirname(os.path.abspath(__file__))
os.chdir(pwd)
sys.path = [env] + sys.path
os.environ['PYTHON_EGG_CACHE'] = '/srv/mysite/.python-egg'
os.environ['DJANGO_SETTINGS_MODULE'] = 'mysite.settings'
site.addsitedir(envpath)
from django.core.handlers.wsgi import WSGIHandler
application = WSGIHandlers()
httpd.conf
WSGIScriptAlias / /srv/mysite/django.wsgi
WSGIPythonPath /srv/mysite
<more aliases and tags in order to get the right static files to show>
In the httpd.conf file, the user and group that is listed is the default apache. I ran a ls -l on the /srv directory and its owner and group were listed as root. So, I ran sudo chown -R apache:apache /srv/mysite which changed the directory and all subdirectories to use apache as owner and group.
However, no matter how much I Google or try, I can't get over this 403 error.
EDIT:
I've discovered that when I disable SELinux, and the WSGIPythonPath variable in the http.conf file is django.wsgi, it results in a 500 Internal Server error. However, when I change it to wsgi.py, my website displays properly. I am curious as to why that is.
In any case, since this will be a production machine, I prefer to keep SELinux on and figure out how to get the appropriate permissions figured out.
EDIT 2:
I've edited my django.wsgi file (changed above) ala this link
EDIT 3:
I tried moving my project files into the my /home/ folder. I've been alternating between trying django.wsgi and wsgi.py but still can't get past the 403 Forbidden error. I thought it was originally a permissions issue with the /srv directory but it appears that's not the case...I am trying to figure this out but nothing is working.
EDIT 4:
I decided to just stick the development server for now...but I still need to get this working and I am at the end of my rope. Is there anyone out there that can help me?
SELinux has its own system of granting access. Your process ever has to be granted to access files on filesystem depending on SELinux context. There are some default politics and contexts defined in SELinux those are usefull for default cases of your installation. Just web files are expected to be in '/var/www'. You can mostly check the current context of files or processes using switch '-Z', see
[root#localhost]# ls -Z /var
drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 www
Check the context of /srv/mysite
[root#localhost]# ls -Z /srv
drwxr-xr-x. root root system_u:object_r:var_t:s0 mysite
The Apache HTTPD server is allowed to access files with SELinux type httpd_sys_content_t byt it is NOT allowed to access files with SELinux type var_t.
1. Change the SELinux type for your directory and check the context
[root#localhost]# chcon -R -t httpd_sys_content_t /srv/mysite
[root#localhost]# ls -Z /srv
drwxr-xr-x. root root unconfined_u:object_r:httpd_sys_content_t:s0 mysite
Check if your webiste is working right now.
Till now it is not finished yet, while you relabel filesystem to default or if you use a daemon to check or relabel itself, you risk to lose your new labeling.
2. Make the default labaling for your directory
Create the default labeling by 'semange' and apply it on your directory by 'restorecon'
[root#localhost]# semanage fcontext -a -t httpd_sys_content_t /srv/mysite
[root#localhost]# restorecon -v -R /srv/mysite
[root#localhost]# ls -Z /srv
drwxr-xr-x. root root unconfined_u:object_r:httpd_sys_content_t:s0 mysite
Right now your SELinux labeling is fixed.
Note: It is possible regular expressions to define default context.
Debian: I'm not a Debian user, so the SELinux type can be a bit different, the principle is just the same, check the SELinux type of your apache directory and set it on your directory you want to be accessible from apache.
Read more at RedHat:
https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security-Enhanced_Linux/sect-Security-Enhanced_Linux-SELinux_Contexts_Labeling_Files-Persistent_Changes_semanage_fcontext.html
Fedora SELinux documentation:
http://docs.fedoraproject.org/en-US/Fedora/13/html/Security-Enhanced_Linux/