error_log to file

NotionCommotion · December 16, 2014

I am trying to learn how to properly log errors. While not my primary topic of this post, I would appreciate any comments on the below script and whether I am doing it "right".

Specifically, I am trying to write error_log to a file. I run the below code, and get the following response. The first two were expected, but I cannot open validation.log to write to it. I've even made it 0777 but still cannot do so (see the bottom of this post). I've noticed that all the other log files are owned by root with limited permissions, so I would think that I shouldn't have even needed to change the permissions.

What am I doing wrong? Thank you

An error occurred in script '/var/www/test/html/testing/errors.php' on line 8: Undefined variable: divisor (error no: 
An error occurred in script '/var/www/test/html/testing/errors.php' on line 14: Cannot divide by zero (error no: 256)
An error occurred in script '/var/www/test/html/testing/errors.php' on line 19: error_log(/var/log/httpd/test/validation.log): failed to open stream: Permission denied (error no: 2)

<?php

class test extends base_class
{
    public function testError()
    {
        syslog(LOG_INFO,'Use this for troubleshooting and not errors?');
        $x=$divisor;
    }
    public function testTrigger()
    {
        $divisor=0;
        if ($divisor == 0) {
            trigger_error("Cannot divide by zero", E_USER_ERROR);
        }
    }
    public function customErrorLogs()
    {
            error_log("Some validation error.", 3, "/var/log/httpd/test/validation.log");
    }
}

abstract class base_class
{

    public function __construct()
    {
        //Should this be setup in httpd.conf?
        ini_set('display_errors', 1);
        error_reporting(E_ALL);
        set_error_handler(array($this,"my_error_handler"));

        //Log all to LOG_LOCAL0 which /etc/rsyslog.conf will send to /var/log/test/syslog.log
        openlog('custom_log', LOG_NDELAY, LOG_LOCAL0);
    }

    public function my_error_handler($errno, $errstr, $errfile, $errline, $errcontext) {
        $message = "An error occurred in script '$errfile' on line $errline: $errstr (error no: $errno)";
        if (true || in_array(substr($_SERVER['HTTP_HOST'], 0, 5), array('local', '127.0', '192.1'))) {
            echo $message.'<hr>';

        } else {
            error_log ($message);
            if ( ($errno != E_NOTICE) && ($errno < 2048)) {
                exit('<div class="error">A system error occurred. We apologize for the inconvenience.</div>');
            }

        }
    }

}

$test=new test();
$test->testError();
$test->testTrigger();
$test->customErrorLogs();

?>

[root@devserver test]# pwd
/var/log/httpd/test
[root@devserver test]# ls -l
total 456828
-rw-r--r--. 1 root    root  54840026 Dec 16 08:29 access.log
-rw-r--r--. 1 root    root   2606759 Dec 16 07:13 error.log
-rw-r--r--. 1 root    root  24020851 Dec 16 08:29 forwarded.log
-rw-r--r--. 1 root    root  54840026 Dec 16 08:29 log
-rw-r--r--. 1 root    root 331450147 Dec 16 08:29 rewrite
-rw-------. 1 root    root       332 Dec 16 08:29 syslog.log
-rwxrwxrwx. 1 Michael www          0 Dec 16 08:27 validation.log
[root@devserver test]#

requinix · December 16, 2014

PHP needs not just write permission on the file itself but also execute permission on all the parent directories.

NotionCommotion · December 16, 2014

PHP needs not just write permission on the file itself but also execute permission on all the parent directories.

Ah, I see. But why can I write to error.log which is in the same directory?

PS. Sorry about that earlier post and thank you for deleting it. Curious, though, why it showed zero views....

requinix · December 16, 2014

But why can I write to error.log which is in the same directory?

You can't. It's writable only by root and I'm sure you're not running as root.

NotionCommotion · December 16, 2014

You can't. It's writable only by root and I'm sure you're not running as root.

But I am. To be extra sure, I emptied the file using vi. At first it wouldn't log errors, but I restarted Apache which resulted in a "[warn] RSA server certificate CommonName (CN)" error, and then they are being logged here. Maybe the file can't be empty?

I did the same with syslog, and at first it wasn't being written to, but after restarting rsyslog, it too is being written to. I guess this one makes more sense because I think PHP is just invoking the roots syslog.

And, no I am not running as root. I tested that with get_current_user(), and am running as phped.

[root@devserver test]# pwd
/var/log/httpd/test
[root@devserver test]# ls -l
total 455756
-rw-r--r--. 1 root root  54859022 Dec 16 12:13 access.log
-rw-r--r--. 1 root root      1097 Dec 16 12:16 error.log
-rw-r--r--. 1 root root  24027750 Dec 16 12:13 forwarded.log
-rw-r--r--. 1 root root  54859022 Dec 16 12:13 log
-rw-r--r--. 1 root root 332912008 Dec 16 12:13 rewrite
-rw-------. 1 root root      1514 Dec 16 12:13 syslog.log
[root@devserver test]# vi error.log
[root@devserver test]# vi syslog.log
[root@devserver test]# ls -l
total 455748
-rw-r--r--. 1 root root  54859022 Dec 16 12:13 access.log
-rw-r--r--. 1 root root         0 Dec 16 12:18 error.log
-rw-r--r--. 1 root root  24027750 Dec 16 12:13 forwarded.log
-rw-r--r--. 1 root root  54859022 Dec 16 12:13 log
-rw-r--r--. 1 root root 332912008 Dec 16 12:13 rewrite
-rw-------. 1 root root         0 Dec 16 12:18 syslog.log
[root@devserver test]# # Use PHP
[root@devserver test]# ls -l
total 455748
-rw-r--r--. 1 root root  54859195 Dec 16 12:19 access.log
-rw-r--r--. 1 root root         0 Dec 16 12:18 error.log
-rw-r--r--. 1 root root  24027834 Dec 16 12:19 forwarded.log
-rw-r--r--. 1 root root  54859195 Dec 16 12:19 log
-rw-r--r--. 1 root root 332913148 Dec 16 12:19 rewrite
-rw-------. 1 root root         0 Dec 16 12:18 syslog.log
[root@devserver test]# service httpd restart
Stopping httpd:                                            [  OK  ]
Starting httpd:                                            [  OK  ]
[root@devserver test]# service rsyslog restart
Shutting down system logger:                               [  OK  ]
Starting system logger:                                    [  OK  ]
[root@devserver test]# # Use PHP
[root@devserver test]# ls -l
total 455756
-rw-r--r--. 1 root root  54859368 Dec 16 12:19 access.log
-rw-r--r--. 1 root root       856 Dec 16 12:19 error.log
-rw-r--r--. 1 root root  24027918 Dec 16 12:19 forwarded.log
-rw-r--r--. 1 root root  54859368 Dec 16 12:19 log
-rw-r--r--. 1 root root 332914288 Dec 16 12:19 rewrite
-rw-------. 1 root root       133 Dec 16 12:19 syslog.log
[root@devserver test]# cat error.log
[Tue Dec 16 12:19:33 2014] [warn] RSA server certificate CommonName (CN) `www.mysite.com' does NOT match server name!?
[Tue Dec 16 12:19:34 2014] [warn] RSA server certificate CommonName (CN) `www.mysite.com' does NOT match server name!?
[Tue Dec 16 12:19:48 2014] [error] [client 192.168.1.1] An error occurred in script '/var/www/test/html/testing/errors.php' on line 11: Undefined variable: divisor (error no: 
[Tue Dec 16 12:19:48 2014] [error] [client 192.168.1.1] An error occurred in script '/var/www/test/html/testing/errors.php' on line 17: Cannot divide by zero (error no: 256)
[Tue Dec 16 12:19:48 2014] [error] [client 192.168.1.1] An error occurred in script '/var/www/test/html/testing/errors.php' on line 23: error_log(/var/log/httpd/test/validation.log): failed to open stream: Permission denied (error no: 2)
[root@devserver test]# cat syslog.log
Dec 16 12:19:48 devserver custom_log: Use this for troubleshooting and not errors?
Dec 16 12:19:48 devserver custom_log: Some error?
[root@devserver test]#

Edited December 16, 2014 by NotionCommotion

LeJack · December 16, 2014

Scratch it.

Edited December 16, 2014 by LeJack

NotionCommotion · December 16, 2014

Scratch it.

Please elaborate.

LeJack · December 16, 2014

Please elaborate.

Was going to tell you that the logs folder and www folder are two different folders so you might want to chmod 77 www and not the logs folder, but I saw that you have chmod 777 www already so I scratched off what I was going to say.

requinix · December 16, 2014

Okay, easy question:

What are the permissions on /var/log/httpd and /var/log/httpd/test?

NotionCommotion · December 16, 2014

Okay, easy question:

What are the permissions on /var/log/httpd and /var/log/httpd/test?

Maybe I have Apache running as root? Yikes, that wouldn't be good...

drwx------. 4 root  root      4096 Dec 14 03:06 httpd

drwxr-xr-x. 2 root  root      4096 Dec 16 13:20 test

requinix · December 16, 2014

So only root can access /var/log/httpd - that's why you're having problems.

And yes, definitely don't run as root.

NotionCommotion · December 16, 2014

Thank you requinix,

So, if only root can access access /var/log/httpd, and I am evidently doing so with Apache, then I must be running Apache as root, right?

Guess that explains it.

[root@devserver ~]# ps aux | egrep '(apache|httpd)'
root     17936  0.0  0.1 404344 14592 ?        Ss   13:20   0:00 /usr/sbin/httpd
apache   17938  0.0  0.1 506148 18172 ?        S    13:20   0:00 /usr/sbin/httpd
apache   17939  0.0  0.1 502068 14096 ?        S    13:20   0:00 /usr/sbin/httpd
apache   17940  0.0  0.1 506932 21532 ?        S    13:20   0:01 /usr/sbin/httpd
apache   17941  0.0  0.1 508464 22892 ?        S    13:20   0:01 /usr/sbin/httpd
apache   17942  0.0  0.1 506688 18480 ?        S    13:20   0:00 /usr/sbin/httpd
apache   17943  0.0  0.1 501992 13764 ?        S    13:20   0:03 /usr/sbin/httpd
apache   17944  0.0  0.1 506536 18460 ?        S    13:20   0:00 /usr/sbin/httpd
apache   17945  0.0  0.1 506296 18296 ?        S    13:20   0:00 /usr/sbin/httpd
root     19375  0.0  0.0 101024   848 pts/0    S+   14:20   0:00 egrep (apache|httpd)
[root@devserver ~]# ps aux | grep apache2
root     19377  0.0  0.0 103252   840 pts/0    S+   14:20   0:00 grep apache2
[root@devserver ~]# ps axo user,group,comm | grep apache
apache   apache   httpd
apache   apache   httpd
apache   apache   httpd
apache   apache   httpd
apache   apache   httpd
apache   apache   httpd
apache   apache   httpd
apache   apache   httpd
[root@devserver ~]#

requinix · December 16, 2014

Not sure what distro you're using but somewhere is configuration that tells what user/group Apache should switch to after launching.

NotionCommotion · December 18, 2014

Hello again,

Looking back at outputs of "ps aux | grep httpd" and similar, it doesn't seem I am running Apache as root. I asked similar questions at http://www.linuxquestions.org/questions/linux-newbie-8/am-i-running-apache-as-the-root-user-4175528496/, and the consensus is I am not running Apache as root.

Then why can I write to /var/log/httpd/test/errors.php using PHP when it is only open to root?

requinix · December 18, 2014

Is the

root     17936  0.0  0.1 404344 14592 ?        Ss   13:20   0:00 /usr/sbin/httpd

from earlier still there? Apache can switch from root to another user, but not the other way.

kicken · December 18, 2014

Pretty sure apache initially opens the it's log files as root, then the child processes handling requests inherit the open file handles. PHP on the other hand would be running as whatever user/group the child processes run as which would result in permission errors.

If you pre-create your validation.log file, then you should just need write permission on it, and at least execute permission on directories leading up to it. If you expect PHP to create it if it does not exist, then you'd need write permission on the files directory as well.

NotionCommotion · December 18, 2014

Is the
root     17936  0.0  0.1 404344 14592 ?        Ss   13:20   0:00 /usr/sbin/httpd
from earlier still there? Apache can switch from root to another user, but not the other way.

Yes it is. What is the relevance?

NotionCommotion · December 18, 2014

Pretty sure apache initially opens the it's log files as root, then the child processes handling requests inherit the open file handles. PHP on the other hand would be running as whatever user/group the child processes run as which would result in permission errors.

If you pre-create your validation.log file, then you should just need write permission on it, and at least execute permission on directories leading up to it. If you expect PHP to create it if it does not exist, then you'd need write permission on the files directory as well.

I've tried making it 777, but still couldn't write to validation.log when it was located in /var/log/httpd/test.

I think I have a theory. When I use the following, PHP passes the error to the SAPI Error Logger which is running as root, and thus could write to that directory and file. Still a little hazy on what the SAPI Error Logger really is, but I expect it is some system wide process for writing to the log.

error_log ('Hello');

Reference: http://php.net/manual/en/errorfunc.configuration.php#ini.error-log

error_log string
Name of the file where script errors should be logged. The file should be writable by the web server's user. If the special value syslog is used, the errors are sent to the system logger instead. On Unix, this means syslog(3) and on Windows NT it means the event log. The system logger is not supported on Windows 95. See also: syslog(). If this directive is not set, errors are sent to the SAPI error logger. For example, it is an error log in Apache or stderr in CLI. See also error_log().

On the other hand, when I use the following, it is being written by php, thus even if php has permission to write to the file, php doesn't have execute permission on all the parent directories.

error_log("Some validation error.", 3, "/var/log/httpd/test/validation.log");

Make sense?

kicken · December 18, 2014

I've tried making it 777, but still couldn't write to validation.log when it was located in /var/log/httpd/test.

Yes, because of:

drwx------. 4 root  root      4096 Dec 14 03:06 httpd

Unless you've changed that, PHP doesn't have execute permissions on that directory, hence the file is not accessible.

NotionCommotion · December 18, 2014

And do you agree with my theory that error_log ('Hello') is written by the SAPI Error Logger (and thus root) while error_log("Hello.", 3, "/var/log/httpd/test/validation.log") is written by PHP?

requinix · December 18, 2014

Yup. That's exactly the case.

error_log('Hello') has PHP telling Apache what to log, so Apache is the one doing the logging. Using error_log() to write to a specific file has PHP doing the logging.

kicken · December 19, 2014

Technically error_log('Hello')'s behavior would depend on what the error_log ini directive is.

If in PHP.ini you setup error_log=/var/log/httpd/test/validation.log then the two calls should be equivalent, including the permissions problems.

In general though people tend to not setup error_log to point to a specific file so it ends up going to the SAPI's default handler which is apaches error log in the case of mod_php.

NotionCommotion · December 19, 2014

Thank you requinix and kicken, Witnessing unexplained behavior always concerns me, and I am relieved to know why it does what it does.

Sign In

error_log to file

Recommended Posts

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Join the conversation

Important Information