What permission / user uses apache2 to write django logs

Question

What permission / user uses apache2 to write django logs

I have a very good question, which I would like an expert to comment on for me, please. (maybe Graham Dumpleton)

So, I have a Django web application (developed on ubuntu 16.04) that logs some crashes, as shown below, on / var / log / apache 2 / APPNAME.log.

since all the files in / var / log / apache 2 have root: adm owner, I granted ownership of my log file in the same way, and I made sure www-data is a member of the adm group. Then I provided rwx to the adm group for the owners group, and I tested that everything was working fine.

After 24 hours, the permission of the file and the parent folder changed, and I see that the write permission was canceled from the log file, and the parent directory causing the error rejected the error because the log file could not be written.

Here are my questions, if you could kindly help:

1) where do I need to place the Django log files?

2) What process under what user permission does the file write?

3) What process resets permissions in / var / log / apache and why?

Thank you very much,

I hope this question helps others as well.

Cheers, Mike

views.py

from django.shortcuts import render from django.shortcuts import render from django.http import HttpResponse, HttpResponseRedirect from django import forms from django.core.mail import send_mail, EmailMessage from StudioHanel.forms import ContactForm import traceback import time # import the logging library import logging import sys # Get an instance of a logger #logger = logging.getLogger('APPNAME') def contact(request): logger.debug('Contact Start!') if request.method == 'POST': etc...

settings.py

 LOGGING = { 'version': 1, 'disable_existing_loggers': False, 'filters': { 'require_debug_false': { '()': 'django.utils.log.RequireDebugFalse' } }, 'handlers': { 'mail_admins': { 'level': 'ERROR', 'filters': ['require_debug_false'], 'class': 'django.utils.log.AdminEmailHandler' }, 'applogfile': { 'level':'DEBUG', 'class':'logging.handlers.RotatingFileHandler', 'filename': os.path.join('/var/log/apache2', 'APPNAME.log'), 'maxBytes': 1024*1024*15, 15MB 'backupCount': 10, }, }, 'loggers': { 'django.request': { 'handlers': ['mail_admins'], 'level': 'ERROR', 'propagate': True, }, 'APPNAME': { 'handlers': ['applogfile',], 'level': 'DEBUG', }, } }

+5

python django apache mod-wsgi

Mike IT Nov 21 '16 at 7:15

source share

2 answers

For mod_wsgi, you'd better direct the Python protocol to stderr or stdout so that it is logged in the Apache error log. Do not create a separate log file, as with the Apache log file, things like rotation of the log file will be processed automatically. For an example, see the section "Registering Python Exceptions" in:

http://blog.dscpl.com.au/2015/04/integrating-modwsgi-express-as-django.html

Make sure you set up a separate error log for Apache for VirtualHost so that your site log is deleted separately in the main Apache error log.

+1

Graham dumpleton Nov 21 '16 at 21:17

source share

Antonis Christofides · Accepted Answer · 2016-11-21T07:42:51+0000

1) where do I need to place the Django log files?

I recently initiated a discussion on the django-users mailing list about directories that will be used for Django projects, and I came to the conclusion that there is no generally accepted practice. I decided to use /var/log/django-project-name .

In any case, /var/log/apache2 is the wrong place due to the problem you identified that logrotate will interfere. More on this below.

2) What process under what permission does the user write the file?

If you use Gunicorn, this is a gunicorn process, and if you use uWSGI, it is uwsgi . Judging by your link to Graham Dumpleton, you are using mod_wsgi. Thus, the process is the mod_wsgi daemon.

The user who writes these processes to the file is the user in which the process is running. For mod_wsgi, you can specify the user option for the WSGIDaemonProcess directive. According to his documentation : "If this option is not specified, daemon processes will be executed as the same user, which Apache will start child processes and as defined by the user directive." In Ubuntu, this is www-data . I think it's a good idea to use the user option and run the daemon as another dedicated user.

You should not add www-data to the adm group. The adm group is people who have permission to read the log files. www-data should not have this permission. (Reading and writing your own log files is fine, but you would not want to have permission to read /var/log/syslog .)

3) What process resets permissions in / var / log / apache and why?

It logrotate controlled by cron; see /etc/cron.daily/logrotate . The configuration in /etc/logrotate.d/apache2 manages all files matching /var/log/apache2/*.log . The main purpose of logrotate is to rotate logs. That is, a new log file is created every day, yesterday it is called access.log.1 , until yesterday access.log.2.gz , etc., And logs older than a few days are deleted. This is to save space and logging. logrotate will also correct file permissions if they are erroneous.

In theory, you should configure logrotate to also rotate your Django project logs, otherwise they may eventually fill up the disk.

What permission / user uses apache2 to write django logs

views.py

settings.py

More articles: