I have a PHP application running via AWS Elastic Beanstalk. But the PHP error logs don't seem to be included in CloudWatch alongside the access logs, etc. How do I send them to CloudWatch?
Based on some spelunking, the php error logs seem to be sent to /var/logs/php-fpm/www-error.log, decided by the setting in /etc/php-fpm.d/www.conf:
php_admin_value[error_log] = /var/log/php-fpm/www-error.log
The only logs sent to CloudWatch for PHP based on the info here are:
/var/log/eb-engine.log
/var/log/eb-hooks.log
/var/log/httpd/access_log
/var/log/httpd/error_log
/var/log/nginx/access.log
/var/log/nginx/error.log
You could add custom configuration to have the CloudWatch agent pick up the correct file. Or, you could just add the php error messages to a file already being sent. This can be done via the following in a file .ebextensions/my.config:
/etc/php-fpm.d/www-my-overrides.conf:
mode: "000644"
owner: root
group: root
# For some reason, EB configures the php errors to go to /var/log/php-fpm/www-error.log,
# but doesn't include that file in the default log files sent to CloudWatch. This directs
# the log files to the error file that is being sent to CloudWatch
content: |
[www]
php_admin_value[error_log] = /var/log/httpd/error_log
I'm not sure but I think the www-my-overrides.conf file name needs to be alphabetically after www.confg in the same directory.
If you are using nginx, then you need to use /var/log/nginx/error.log as the error log target -- CloudWatch seems to ignore /var/log/httpd unless you use Apache, so even if you write to it, the changes won't show up in CloudWatch.
files:
/etc/php-fpm.d/www-my-overrides.conf:
mode: "000644"
owner: root
group: root
# For some reason, EB configures the php errors to go to /var/log/php-fpm/www-error.log,
# but doesn't include that file in the default log files sent to CloudWatch. This directs
# the log files to the error file that is being sent to CloudWatch
content: |
[www]
php_admin_value[error_log] = /var/log/nginx/error.log
Additionally, you need to make that file writeable by the php-fpm process which is run as webapp by default, plus you want to make sure it exists ... which it won't yet on new instance creation, so it's very important to do both commands:
container_commands:
01-command:
command: echo "-- DEPLOYMENT --" >> /var/log/nginx/error.log
02-command:
command: chmod 666 /var/log/nginx/error.log
Related
I cannot launch php-fpm on OpenSUSE.
When I run systemctl restart php-fpm.service
I receive the following error, after copying etc/php8/fpm/php-fpm.conf.default to etc/php8/fpm/php-fpm.conf
[25-Apr-2021 12:52:18] ERROR: failed to open configuration file '/etc/php8/fpm/php-fpm.conf': Permission denied (13)
[25-Apr-2021 12:52:18] ERROR: failed to load configuration file '/etc/php8/fpm/php-fpm.conf'
[25-Apr-2021 12:52:18] ERROR: FPM initialization failed
I had to switch to php7-fpm to make it works.
It seems that php-fpm does not work properly on OpenSUSE Tumbleweed.
No problem with apache mod php.
I had some of the issues as can be found in your post.
My setup:
php8 with nginx (fast-cgi NOT USING SOCK) works fine on my laptop
hardware: HP mobile workstation Compaq 8510w
Yes, I know, that is not the latest gear, but its very solid and stable.
It looks like it has been made for Linux!
Micros....urged me to upgrade it from W7 to W10
but left me alone with unsolvable issues. Their Troubleshooter told me
"Ask a friend" and that is what I did.
The friend said, try linux and that is why I am here now.
I never regretted and this is the only reason to say "Thank you Micros..."
Operating System: openSUSE Tumbleweed 20210
KDE Plasma Version: 5.22.5
KDE Frameworks Version: 5.85.0
Qt Version: 5.15.2
Kernel Version: 5.13.8-1-default (64-bit)
Graphics Platform: X11
Processors: 2 × Intel® Core™2 Duo CPU T9300 # 2.50GHz
Memory: 3.8 GiB of RA
Graphics Processor: AMD RV630
for peace of mind:
nginx and php have numerous safety-features.
Safety is very important, so keep an eye on the common IT-safety rules,
but be aware, that safety-rules can lock you out, if not implemented correctly.
Before doing any editing make backups of all original configuration files
for convenience:
I installed mc (Midnight Commander) and use nano as editor.
I added myself to the group wheel, so that I can use sudo without having to enter my password.
mc is very convenient for changing directories, jumping from file to file and editing configuration files, because you can use mc as root. Besides that you can easily change to the shell and back i.E to modify permissions or to use other shell-commands.
Further:
I created aliases in .bashrc enabling starting, stopping and checking
services with shortcuts.
alias sto='sudo systemctl stop $2'
alias str='sudo systemctl start $2'
alias rst='sudo systemctl restart $2'
alias sta='sudo systemctl status $2'
alias sn='sudo nano $2'
How to use them?
After editing your .bashrc do a
source .bashrc
To use these aliases you type the aliasname, a blank and the path to the file like for example for editing a file als sudo with nano try:
sn /etc/rc.local
or, to retrieve the status of php-fpm with just a few keystrokes:
sta php-fpm
I copied /etc/php8/php.ini to "php.ini.commented" and deleted all comments and non required options in the original
I also copied /etc/php8/cli/php.ini to php.ini.commented and deleted all
comments and non required options in the original
I did the same with /etc/php8/fpm/php-fpm.d/www.conf
for avoiding conflicts:
Before any other software operation, make sure that your system is running without errors.
Use
dmesg -l err
or
journalctl -b |grep error
Solve found errors first!
After verification you should execute a
sudo zypper dup
do not change more than 1 parameter per trial, when testing/modifying your configuration.
Check for result of modifications in logfiles after each step.
write comments in the modified config and -if using an advice from a website- paste the web-address as a comment since in a few days you might not remember why you configured as you did.
avoid multiple blanks in comments in configuration files, this can lead to a "parse error".
I use the pathnames as they are being configured by setup.
Do it like this, it will prevent problems after software-updates.
I did not use the original Tumbleweed user/group "wwwrun" and "www", instead I created a user "www-data" in group "www-data" exactly as in Raspberry debian 10.
with following commands
sudo chown -R www-data:www-data /srv
sudo chmod -R 755 /srv
I have changed ownership and permissions of all contents, that will be accessed by php-fpm.
In case you place symlinks in /srv/www/public to files elsewhere, you need to change the permissions in the files, the link is pointing to. For example if you create a symlink in /srv/www/public to your phpmyadmin data, you need to change the permissions for all files in /usr/share/mysql/phpmyadmin.
The user of the data in your pool /srv/www/public must be the same as the user, defined in /etc/nginx/nginx.conf, and
when using a pool named "public", user and group in the section [public] in /etc/php8/fpm/php-fpm.d/www.conf must also be the same .
This is crucial, most problems at startup of nginx are caused by wrong permissions.
STEP BY STEP
Begin with a basic setup, without any special features.
On request of friends I added my functional configuration files below
Do not copy configurations from it-specialists in the web, who might do complicated or exotic things, proxies, remote servers etc.
Especially if in those configurations there are expressions you don't understand , better don't use them.
Just get started, undo temporary solutions as soon as nginx is operational and make a backup of the first working basic configuration.
After that -but not earlier- you can start experimenting
Never use chmod 777 in any of the above directories, because that's is an invitation to get your system hacked.
Never change the mod 644, owner root:root in /var/log
The logfiles of php-fpm are being created and modified by root. Logfiles contain sensitive info.
Verify correct setup with:
ps -aux |grep php
The result should be similar to following lines. This means that php-fpm is being run by root:
root 1262 0.0 0.3 54024 13260 ? Ss 06:12 0:01 php-fpm: master process (/etc/php8/fpm/php-fpm.conf)
www-data 1335 0.0 0.2 54172 9576 ? S 06:12 0:00 php-fpm: pool public
Allowing access to anybody else is opening the doors for hackers. Keep in mind that you are using a browser to see your data, but other people may be able to browse them as well.
After having a running system it is easy to add further steps.
To start up there is no need for using sites-enabled in nginx
and you need to create just one pool in /etc/php8/fpm/php-fpm.d/www.conf
TROUBLESHOOTING FREQUENT ERRORS:
MySql-errors:
I presume here, that your mariadb/mysql has been setup correctly.
Missing or wrong permissions will cause "not found" errors.
Troubleshooting in mysql is documented very well and mysql has an interactive help function. Read the documentation and test access following steps of the mysql manuals. It would lead too far, to add a guide for that to this document.
php-fpm not starting:
failed to open configuration file '/etc/php8/fpm/php-fpm.conf': Permission denied (13)
With
sudo systemctl status php-fpm
you will find more details about what and how.
Possibly there is an access-issue when php-fpm tries creating a logfile "access.public.log" in /var/log by following the line access.log = "access.$pool.log" (look in file www.conf).
This error can be caused/suppressed by settings in apparmor.
Options are:
temporary disable apparmor
sudo systemctl stop apparmor
sudo systemctl disable apparmor
In openSUSE You can use Yast to configure apparmor
In case you made modifications the result can be found as below in:
/etc/apparmor.d/php-pfm
vim: ft=apparmor
profile php-fpm /usr/sbin/php-fpm* flags=(attach_disconnected, complain) {
include <abstractions/base>
include <abstractions/nameservice>
include <abstractions/openssl>
include <abstractions/php>
include <abstractions/ssl_certs>
include if exists <local/php-fpm>
include if exists <php-fpm.d>
capability chown,
capability dac_override,
capability kill,
capability net_admin,
capability setgid,
capability setuid,
signal send peer=php-fpm//*,
deny / rw,
/etc/php8/fpm/php-fpm.conf r,
/etc/php{,5,7}/* r,
/usr/sbin/php-fpm* rix,
owner /var/log/php*-fpm.log rw,
owner /var/log/public.acess.log rw,
#{PROC}/#{pid}/attr/{apparmor/,}current rw,
#{run}/php{,-fpm}/php*-fpm.pid rw,
#{run}/php{,-fpm}/php*-fpm.sock rwlk,
owner /etc/php8/fpm/php-fpm.d/www.conf r,
change_profile -> php-fpm//*,
}
or temporary comment the line
access.log = /var/log/$pool.access.log in your www.conf
To get started this file is not absolutely required
and commenting it helped me to suppress the "php-fpm could not be started" error.
The most important and detailed logfile is
/var/log/nginx/error.log
To debug, after every modification You should use
sudo tail -1 /var/log/nginx/error.log
You will see that most errors are permission errors either because mysql can't access your database or php-fpm can't use your php/html-files!
here my /etc/nginx/nginx.conf:
user www-data;
worker_processes auto;
#pid /run/nginx.pid; not required when using tcp
events {
worker_connections 1024;
use epoll;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
keepalive_timeout 65;
include /etch/nginx/conf.d/*.conf;
server {
listen 80;
server_name 127.0.0.1;
root /srv/www/public; # without this root instruction nqinx will use /usr/ as prefix and you will get a not found error!
error_page 500 502 503 504 /50x.html; # redirect server error pages to the static page /50x.html
location = /50x.html {
root /srv/www/htdocs/;
}
location ~ \.php$ { # 404
try_files $fastcgi_script_name =404;
include /etc/nginx/fastcgi_params;
# default fastcgi_params
# fastcgi settings
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_buffers 8 16k;
fastcgi_buffer_size 32k;
# fastcgi params
fastcgi_param DOCUMENT_ROOT /srv/www/public;
fastcgi_param SCRIPT_FILENAME $request_filename;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
}
location / {
root /srv/www/public;
try_files $uri $uri/ =404;
index index.nginx-debian.html index.php index.html index.htm;
}
location ~ /\.ht {
# deny access to .htaccess files, if Apache's document root concurs with nginx's one
deny all;
}
include vhosts.d/*.conf;
}
}
filecontents of /etc/php8/fpm/php-fpm.d/www.conf
[public]
prefix = /srv/www/$pool
user = www-data
group = www-data
listen = 127.0.0.1:9000
;use these settings only if a socket is used
;listen.owner = www-data
;listen.group = www_data
;listen.mode = 0660
pm = static
pm.max_children = 1
pm.start_servers = 2
pm.min_spare_servers = 1
pm.max_spare_servers = 3
pm.max_requests = 500
; this optional feature is well documented in the file and further instructions for how to set it up can be found on the web
pm.status_path = /status
; if fpm-phm cannot start, temporary comment the two lines access.log, but reactivate the instructions as soon as php-fpm is operational
; if there are wrong permission-settings, php-fpm will not start
access.log = /var/log/$pool.access.log
access.format = "%R - %u %t \"%m %r%Q%q\" %s %f %{mili}d %{kilo}M %C%%"
catch_workers_output = yes
security.limit_extensions = .php .html
env[HOSTNAME] = $HOSTNAME
env[PATH] = /usr/local/bin:/usr/bin:/bin
env[TMP] = /tmp
env[TMPDIR] = /tmp
env[TEMP] = /tmp
php_admin_value[error_log] = /var/log/fpm-php.www.log
php_admin_flag[log_errors] = on
php_admin_value[memory_limit] = 32M
file /etc/php8/fpm/php-fpm.conf
; FPM Configuration ;
[global]
process_control_timeout = 10
process.max = 128
daemonize = no
rlimit_core = 0
rlimit_files = 1024
events.mechanism = epoll
systemd_interval = 10
include=/etc/php8/fpm/php-fpm.d/*.conf
With this configuration I run several mysql-databases and content management as well as phpmyadmin.
The picture below is a screenshot of my Content Management System using a mysql database and self-designed forms in php-format.
In the location definitions there are no further instructions required, neither for loading stylesheets nor for pictures/movies.
A check with Google's developer tools in Chrome proofs, that all references and links to stylesheets, json-files and further directories have been found and that there are no errors.
Of course it took me some time to get all this running.
This answer may help everybody who wants to set up nginx and save time.
The documentation of nginx and php is complete and excellent. For most commands there is a --help option, man pages and a webpage.....
Yes, I know!
Help and man-pages are written by excellent IT-engineers,
some of these hexadecimal-thinking people might have difficultes
to translate their digital slang to human-understandable language.
That's why some pages are more confusing than helping.
Anyway, press the F1-key, try the help and forgive them.
Where would we be without them?
In my little network here, I am using a 24/7 running Raspberry Pi 3 B+ with 64 bit OS as server, that stores data on two USB drives.
The configuration for accessing local files on this server is nearly the same as the configuration on my laptop.
There are just two little differences:
On "debian buster" the application php8 is named php8.0 and a few directories have different names, so you can use above configuration files for Raspberry debian buster with the following restriction: the pertinent 'include' lines are different and need to be altered according to the location-names of the config-files .
My nginx.conf on the Raspberry-server has a few lines of extra code, in order to enable access to contents via DDNS, but that is a different chapter.
I would like to emphasize that I am not an IT-specialist. I have collected some experience in computing during my professional activities as mechanical engineer, all further know-how came from pressing the F1-key, reading forum-contributions, manuals, helpfiles, webpages and -not to forget- from made mistakes.
I hope that this may encourage others, to keep trying. Linux is structured very clearly and can be understood easily. Google errors, watch your logfiles attentively and enjoy the fun of finally running a fully operational php-fpm/nginx.
I need to remind you once more:
Don't forget to reset all temporary solutions.
Cheers
This is related to apparmor settings. Please edit /etc/apparmor.d/php-fpm:
19 /etc/php{,5,7,8}/** r,
to allow access to directory /etc/php8/ by php-fpm process.
Note: I am NOT talking about nginx' own access log. That one works fine. This questions is about enabling the php-fpm access.log.
Currently, I am trying to debug the FastCGI sent in stderr: “Primary script unknown” while reading response header from upstream error
One proposed option is to set the access.log entry in the php-fpm.d/www.conf.
access.log = /var/log/$pool.access.log
Now, I have a docker stack and my php-fpm container is build from the php:7.3-fpm-alpine image.
While I have figured out that it stores its php config files at:
/usr/local/etc/php
and I also found the www.conf at:
/usr/local/etc/php-fpm.d/www.conf
So in a local file I add the default content as provided by the image and add at the end:
php_flag[display_errors] = on
php_admin_value[error_log] = /var/log/fpm-php.www.log
php_admin_flag[log_errors] = on
access.log = /var/log/$pool.access.log
and I copy that file during build into the docker container.
COPY ./.docker/php/www.conf /usr/local/etc/php-fpm.d/www.conf
Yet when I try to access my server, I don't see any log file being created on incoming requests.
What am I missing to activate the php-fpm access log? How can I figure out why I don't see any log?
The way to do this is to send the error and the access logs to the following address:
/proc/self/fd/2
So replace the "file" locations like so:
access.log = /proc/self/fd/2
error_log = /proc/self/fd/2
Then you should be able to inspect the fpm-logs with docker logs [container-id]
I am running a website using AWS Elastic Beanstalk. In AWS Elastic Beanstalk, the default upload_max_filesize in php.ini is limited to 2M. I want to increase the upload_max_filesize to 20M. I do the following thing and 'Upload and Deploy' EBS by uploading the new application source codes with the new 99my_php_ini_change.config. But it does not automatically create the /etc/php.d/zzz_my_own_php.ini. I also
'Create New Application' using Elastic Beanstalk, but I did not see the file /etc/php.d/zzz_my_own_php.ini was successfully created either.
Where is the error?
I thing I did was:
put file 99my_php_ini_change.config inside folder .ebextensions under application root.
99my_php_ini_change.config contains :
files:
"/etc/php.d/zzz_my_own_php.ini" :
mode: "000644"
owner: root
group: root
content: |
upload_max_filesize=20M
Do you see any error messages in the log file at /var/log/eb-activity.log? You can view the full log file by doing an eb ssh, or you can retrieve it through the EB console or from the command-line using eb logs. If there are any errors, please show your log file here.
Also, YAML files are very sensitive to whitespace. You might try the following instead (notice the two spaces per indent level, lack of space before the colon, and lack of newline):
files:
"/etc/php.d/zzz_my_own_php.ini":
mode: "000644"
owner: root
group: root
content: |
upload_max_filesize=20M
Where can I find error log files?
I need to check them for solving an internal server error shown after installing suPHP.
You can use lsof to find open logfiles on your system. lsof just gives you a list of all open files.
Use grep for "log" ... use grep again for "php" (if the filename contains the strings "log" and "php" like in "php_error_log" and you are the root user you will find the files without knowing the configuration).
lsof | grep log
... snip
gmain 12148 12274 user 13r REG 252,1 32768 661814 /home/user/.local/share/gvfs-metadata/home-11ab0393.log
gmain 12148 12274 user 21r REG 252,1 32768 662622 /home/user/.local/share/gvfs-metadata/root-56222fe2.log
gvfs-udis 12246 user mem REG 252,1 55384 790567 /lib/x86_64-linux-gnu/libsystemd-login.so.0.7.1
==> apache 12333 user mem REG 252,1 55384 790367 /var/log/http/php_error_log**
... snip
lsof | grep log | grep php
**apache 12333 user mem REG 252,1 55384 790367 /var/log/http/php_error_log**
... snip
Also see this article on finding open logfiles: Find open logfiles on a Linux system
It works for me. How can we log all PHP errors to a log file?
Just add the following line to file /etc/php.ini to log errors to specified file – file /var/log/php-scripts.log
vi /etc/php.ini
Modify the error_log directive:
error_log = /var/log/php-scripts.log
Make sure display_errors is set to Off (no errors to end users):
display_errors = Off
Save and close the file. Restart the web server:
/etc/init.d/httpd restart
How do I log errors to syslog or Windows Server Event Log?
Modify error_log as follows:
error_log = syslog
How can we see logs?
Login using ssh or download a log file /var/log/php-scripts.log using SFTP:
sudo tail -f /var/log/php-scripts.log
On CentOS with cPanel installed, my logs were in:
/usr/local/apache/logs/error_log
To watch: tail -f /usr/local/apache/logs/error_log
It depends on what OS you are using and which web server.
On Linux and Apache, you can find the Apache error_log in folder /var/log/apache2/.
This will definitely help you,
Enable PHP error logging
Or
In php.ini (vim /etc/php.ini or sudo vim /usr/local/etc/php/7.1/php.ini)
display_errors = Off
log_errors = On
error_log = /var/log/php-errors.log
Make the log file, and writable by user www-data:
sudo touch /var/log/php-errors.log
/var/log/php-errors.log
sudo chown <owner>:www
I am using CentOS 6.6 with Apache and for me error log files are in:
/usr/local/apache/log
This is a preferable answer in most use cases, because it allows you to decouple execution of the software from direct knowledge of the server platform, which keeps your code much more portable. If you are doing a lot of cron or CGI, this may not help directly, but it can be set into a configuration at web runtime that the cron and CGI scripts pull from to keep the log location consistent in that case.
You can get the current log file assigned natively to PHP on any platform at runtime by using:
ini_get('error_log');
This returns the value distributed directly to the PHP binary by the web server, which is what you want in 90% of use cases (with the glaring exception being CGI). CGI will often log to this same location as the HTTP web server client, but not always.
You will also want to check that it is writeable before committing anything to it to avoid errors. The configuration file that defines its location (typically either file apache.conf globally or vhosts.conf on a per-domain basis), but the configuration does not ensure that file permissions allow write access at runtime.
For Unix CLI users:
Most probably the error_log ini file entry isn't set. To verify:
php -i | grep error_log
// error_log => no value => no value
You can either set it in your php.ini CLI file, or just simply quickly pipe all standard error yourself to a file:
./myprog 2> myerror.log
Then quickly:
tail -f myerror.log
I have been busy setting up my own VPS after being used to cPanel, but I can't seem to find out how to let PHP create an error_log file in the same directory as the script that throws the errors.
I would like this to happen without me having to add a line of code to each .php file. In cPanel this works out of the box somehow.
Example:
Error in: /var/www/webapp1/index.php
Logfile location: /var/www/webapp1/error_log
Error in: /var/www/info/system/test.php
Logfile location: /var/www/info/system/error_log
Basically, I want PHP to store an error_log file in each directory for the scripts in that directory.
Additional information:
Single VPS account
Debian 6.0 (Squeeze) GNU/Linux
Apache 2.2.16
Set the error_log value to the name of the error log you want to appear in the directory, but do not put any slashes. The file will be saved in the directory from which the script is ran, so the same directory.
error_log = "php_error.log"
For this, there is the error_log directive in php.ini like:
error_log string
Where string represents the name of the file where script errors should be logged. The file should be writable by the web server's user. If the special value syslog is used, the errors are sent to the system logger instead. On Unix, this means syslog(3) and on Windows NT it means the event log. The system logger is not supported on Windows 95. See also: syslog(). If this directive is not set, errors are sent to the SAPI error logger. For example, it is an error log in Apache or stderr in CLI.
Edit your php.ini file and uncomment the line with error_log:
error_log = php_errors.log
Save the changes, restart Apache, and be happy.
If you're using Linux, open a terminal and type this to restart:
sudo services apache2 restart
If you have access to WebHost Manager (WHM) you can search for SERVICES and then restart HTTPD or Apache.
If you're using EasyPHP or Vertrigo, you can do that through the program it self.
basically I want php to store an error_log file in each directory for the scripts in that directory
Assuming you're using Apache, you can use Apache's error_log directive in the VirtualHost to accomplish this behaviour. If memory serves me right, PHP itself doesn't decide where it stores its errors.