40

I'm running Tomcat in standalone mode. The "standalone" part is very important: I am not going to install Apache in front of Tomcat.

In my question here, about how to implement a "web bug", I got a great answer: Java webapp: how to implement a web bug (1x1 pixel)?

However the answer states:

In your access logs, you can count for your jpg - the output should be"

127.0.0.1 - - [10/Jun/2010:11:38:53 +0530] "GET /mywebapp/jsp/invisible.jpg?1276150133362 HTTP/1.1" 200 991

But, as I feared, I cannot find such logs.

... $ cat apache-tomcat-6.0.26/logs/* | grep GET | wc -l

0

There are a lot of logs. My webapp's custom logs are definitely logged.

So I've got a few related questions:

  • Does "Tomcat standalone" log every HTTP GET request by default?

  • If yes, where are every HTTP GET requests logged by default? (how could I have found them myselves?)

  • If no, can "Tomcat standalone" be configured to log every HTTP GET request?

Note that I know that in my case I can add custom logging alongside with my web bug .jsp and search for that in the logs, but that is not my question here.

My question here is really about how Tomcat standalone (once again, the standalone is very important) deals with logging of all the HTTP GET requests.

Community
  • 1
  • 1
NoozNooz42
  • 4,238
  • 6
  • 33
  • 53
  • btw, what the reason of running it standalone? is it an performance test or something like this? – Igor Artamonov Jun 10 '10 at 18:20
  • @splix: no, I'm trading performance (for static file serving) for security. The reason is that "Apache Apache" doesn't have a very good security track record **compared to Tomcat**. Probably because it is written in C, which explains all the buffer overrun/overflow related security issues. I don't want to have to spend my time patching Apache ;) "Tomcat has no documented case of actual security exploitation" http://wiki.apache.org/tomcat/FAQ/Security You hardly can say so for Apache. Tomcat standalone does the job *very* nicely for what we need. – NoozNooz42 Jun 10 '10 at 18:57
  • @splix: because Tomcat is written in Java, it is immune to buffer overrun/overflow, which gets rid of *many* of the typical security exploits. Did you know that one of the author of several Apache/Tomcat connectors was a big advocate of running Tomcat in standalone mode? :) I know, I know, by doing *this* and *that* with Apache in front, it will be more secure... Until the next buffer overrun/overflow du-jour comes and I need to patch Apache ;) – NoozNooz42 Jun 10 '10 at 18:59
  • @splix: by one of the Tomcat dev on the Tomcat dev mailing list: http://mail-archives.apache.org/mod_mbox/tomcat-users/200710.mbox/%3C470F655D.9060401@schoenhaber.de%3E This is *exactly* my position on the topic, from the link: *the claim one can sometimes read that you should always put an httpd in front of Tomcat is complete nonsense IMO. The opposite is true.* – NoozNooz42 Jun 10 '10 at 19:22
  • I was going to add the bit about uncommenting AccessLogValve in my answer to your original post :) but slipped my mind. Glad you got it working. – JoseK Jun 11 '10 at 05:17
  • Answer t o question "Does "Tomcat standalone" log every HTTP GET request by default?" is NO. It only logs completed request – vsingh Apr 05 '17 at 18:16

1 Answers1

60

It doesn't log requests by default, but will do if you uncomment this valve in conf/server.xml:

<Valve className="org.apache.catalina.valves.AccessLogValve"
    directory="logs" prefix="localhost_access_log." suffix=".txt"
    pattern="common" resolveHosts="false"/>
Richard Fearn
  • 25,073
  • 7
  • 56
  • 55
  • 5
    From the docs: WARNING: Using this valve has side-effects. The output from this valve includes any parameters included with the request. The parameters will be decoded using the default platform encoding. Any subsequent calls to request.setCharacterEncoding() within the web application will have no effect. Note: this Valve is now deprecated in favor of the RequestDumperFilter, which does the same thing in a portable manner. This Filter is included in the examples application: see $CATALINA_HOME/webapps/examples/WEB-INF/classes/filters for the source. – haui Sep 22 '15 at 10:49
  • Apache Docs alsp says: To use a more optimized access log valve designed for production use, you MUST set this attribute [className] to org.apache.catalina.valves.FastCommonAccessLogValve. In this case, only the common and combined patterns are supported. – user2602807 Nov 11 '16 at 13:31
  • How would it work with embedded tomcat container? I am currently working on a project with technology stack of Spring-boot with embedded container. TeeFilter from logback seems to be a good solution for this use case, however, it is not recommended to use in production. So I am wondering if this can be used in production... – imarchuang Jan 01 '18 at 03:51
  • Can it tell me if it came through HTTP or HTTPS? (Assuming I configured both Connectors) – Diego Ramos Jan 12 '21 at 22:52
  • @DiegoRamos I think the best you can do is to make the `AccessLogValve` log the local port, by adding `%p` to the valve's `pattern`. Then you would see (e.g.) `8080` for HTTP or `8443` for HTTPS. – Richard Fearn Jan 13 '21 at 16:21