PHP messages are often stored in the HTTP server logs. It is easier to watch for security issues when PHP errors are sent to a central location. This guide use syslog to store PHP messages in “/var/log/php.log”.

This howto is tested on:

  • Debian 10.0 Buster

Requirements

This howto requires:

Settings

Set the PHP messages log file path:

logPath='/var/log/php.log'

Installation

Detect if sudo is available (“command” is used if not):

cmdProxy='command'
command type -f 'sudo' &>'/dev/null' && cmdProxy='sudo'

Set the default log file owner:

logOwner='root'

RSyslog

Detect RSyslog log file owner:

logOwner="$(command grep '$FileOwner' '/etc/rsyslog.conf' \
    | command cut --delimiter=' ' --fields=2)"

Configure RSyslog to store PHP messages in a central log file:

[ -d '/etc/rsyslog.d' ] \
  && ${cmdProxy} tee '/etc/rsyslog.d/40-php.conf' \
    <<< "# Log PHP messages to ${logPath}.
:msg,regex,\"^[w: ]*PHP \" ${logPath}
:msg,startswith,\"  [wrapped:\" ${logPath}
# Uncomment the following to stop logging anything that matches the last rule.
# Doing this will stop logging PHP log messages to syslog default file.
& ~"

Create PHP log file and set its owner and access rights:

if [ -d '/etc/rsyslog.d' ]; then
  ${cmdProxy} touch "${logPath}"
  ${cmdProxy} chown "${logOwner}:adm" "${logPath}"
  ${cmdProxy} chmod 640 "${logPath}"
fi

Reload RSyslog configuration:

[ -d '/etc/rsyslog.d' ] && ${cmdProxy} systemctl 'force-reload' 'rsyslog'

Syslog-NG

Configure Syslog-NG to store PHP messages in a central log file:

[ -d '/etc/syslog-ng/conf.d' ] \
  && ${cmdProxy} tee '/etc/syslog-ng/conf.d/php.conf' \
      <<< "########################
# PHP messages
########################

destination d_php { file(\"${logPath}\"); };
filter f_php { program(\"^php\"); };
log { source(s_src); filter(f_php); destination(d_php); };"

Create PHP log file and set its owner and access rights:

if [ -d '/etc/syslog-ng/conf.d' ]; then
  ${cmdProxy} touch "${logPath}"
  ${cmdProxy} chown "${logOwner}:adm" "${logPath}"
  ${cmdProxy} chmod 640 "${logPath}"
fi

Reload Syslog-NG configuration:

[ -d '/etc/syslog-ng/conf.d' ] && ${cmdProxy} systemctl 'reload' 'syslog-ng'

PHP

Configure PHP to log messages to syslog:

${cmdProxy} php-tools --add-mod --mod-name 'syslog' \
    --mod-settings '; PHP errors logged to syslog:
error_log = syslog'

Reload PHP configuration:

${cmdProxy} php-tools --reload

Show PHP messages with:

${cmdProxy} tail -f "${logPath}"

Log rotation

Setup the rotation of PHP logs:

${cmdProxy} tee "/etc/logrotate.d/php" \
<<< "${logPath} {
 weekly
 missingok
 rotate 4
 compress
 delaycompress
 notifempty
 create 640 ${logOwner} adm
}

${logPath}.slow {
 weekly
 missingok
 rotate 4
 compress
 delaycompress
 notifempty
 create 644 www-data adm
}"

Next step

This howto recommends:

Thanks

Categories: PHPSyslog

0 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.