Send Apache 2.4 access log to Graylog over TCP

Graylog accepts a format called GELF. GELF is short for Graylog Extended Log Format. GELF appears like a straightforward JSON. Apache 2.4 logs are not in JSON format. This short blog helps explain two things:

  1. Configure Apache 2.4’s /etc/apache2.conf to log GELF
  2. Configure Apache 2.4’s site /etc/apache2/sites-enabled/000-default.conf to pass new log lines to a custom shell script
  3. Create shell script that sends information to Graylog server using TCP

Configure /etc/apache2.conf to log GELF format

  • Edit /etc/apache2.conf
  • Notice some existing LogFormat declarations. Below those declarations add this line
  • Apache will create a GELF log format that is consumed by our site’s custom logging

Configure /etc/apache2/sites-enabled/000-default.conf to consume GELF log

  • Edit /etc/apache2/sites-enabled/000-default.conf
  • Notice some existing ErrorLog and CustomLog declarations. Below those declarations, add this line
  • We are instructing Apache’s default site to consume logged information and send it to script

Create a shell script to send information to Graylog over TCP


Make this file executable:

Restart Apache (Ubuntu 16.04)

Watch data in Graylog


Several resources helped in this journey