I've been trying to insert the following into a vhost from Site > Options > Apache Directives : Code: ErrorLog /var/log/httpd/{DOMAIN}/error.log CustomLog /var/log/httpd/{DOMAIN}/access.log combined It's returning error : apache_directive_blocked_error That comes from the blacklist defined here. This is the result of a very recent change, merged last month. The change was made in response to a ticket #5612. Where is this mysterious ticket? On researching issue tickets, I see someone else wanted to do this for the same reason. The goal is simply to get separate access/error files for each site. Can someone suggest how this can be done now in 3.2? For future documentation I think it would be helpful to explain why each of the directives in the list have been blacklisted. It's not obvious why specific directives return the terse error. That prompts a lot of questions in this forum like "why can't we use Include" (which I still don't understand outside of "it's a security issue"). Thanks!
Is this changed in ISPConfig 3.2? In 3.1 each site has /var/www/<sitename>/log where access and error logs are stored.
Each site has separate access and error log file by default in ISPConfig in /var/log/ispconfig/httpd/domain.tld/ and this is even mounted into the log directory of the website for easy access by the client. [root@server1 ~]# ls /var/log/ispconfig/httpd/example.com/ 20200930-access.log 20201001-access.log access.log and [root@server1 ~]# ls /var/www/example.com/log/ 20200930-access.log 20201001-access.log access.log Makes no sense to do that and will not work anyway as logs are already stored in that path and logging is done globally and split globally for performance, log rotation and also traffic quota calculation. It's more than sufficient to be a security issue to get disallowed. So if you want to write a note for that for the docs, write that directives listed in the blacklist are not permitted for security reasons.
He actually asked to disable the log, which is not from ISPConfig, it belongs to your Linux distribution, and not to split it as the splitted logs exist already. So if you do not want to have that default log of the Linux distribution, then just comment it out or remove the whole other-vhosts-access-log config include.
As always, thanks for your time and insight. I'm recognizing my confusion. The "AccessLog ... combined" directive causes logs to go into other_vhosts_access.log. But it seems individual site logs are also going into the ISPC-specific files. I missed that. I can move forward with this. It takes a while to internalize some of this. Thanks guys!
That line had me puzzled but I marked this thread as Solved anyway. Then I started thinking... No, the regex in the blacklist doesn't allow custom logs at all: Code: /^\s*(CustomLog|ErrorLog)(\s+|[\\\\])/mi Your note about the pipe is an example of standard functionality that we can't use, like this : Code: CustomLog "|/usr/bin/cronolog --symlink=/var/log/httpd/access.log /var/log/httpd/access.log_%Y_%m_%d" combined Coincidentally, that example comes from this HowToForge page which describes how to filter undesirable text out of the logs. In short: we can no longer do this : Code: CustomLog /var/log/apache2/access.log combined env=!dontlog ... adding the env=!dontlog qualifier to the directive. That is, we can define a bunch of SETENVIF rules, but we can't get the log to enforce them anymore. Yeah? No? Thanks!
