.:: Marcos Dione/StyXman's glob ::. (Posts about grafana)https://www.grulic.org.ar/~mdione/glob/enContents © 2026 <a href="mailto:mdione@grulic.org.ar">Marcos Dione</a> Tue, 12 May 2026 20:42:05 GMTNikola (getnikola.com)http://blogs.law.harvard.edu/tech/rssMonitoring Apache with SQL and Grafanahttps://www.grulic.org.ar/~mdione/glob/posts/monitoring-apache-with-sql-and-grafana/Marcos Dione<p>Ever since my last job I have been wanting to make this. I think it's not the first time I do it, but for one reason or another, I did it (again?) in two evenings only.</p> <p>In that job we had an internet facing API with Apache as the router in front of several services. All our metrics and even our billing was based on the Apache logs. We had a system that ingested the logs into a PostgreSQL database, and we tried to create Grafana panels and alerts based on that info. At the same time, I wanted to reproduce <a href="https://www.awstats.org/"><code>awstats</code></a> in Grafana, and found it was almost impossible.</p> <p>Another problem is that the usual tools to solve this, Loki or Prometheus, have big problems to handle this type of too arbitrary data (think of the <code>referer</code> or <code>user_agent</code> columns) or whose space is too big (<code>client</code> is an IPv4, with 4Bi different values). They effectively suffer (in principle) of what they call "cardinality bomb": since they build one time series database (TSDB) per combination of fields (they call them "labels"), storage use is big and aggregation operations inter TSDBs are expensive.</p> <p>Last night I sat down to reimplement the ingestion side. Instead of PostgreSQL I used SQLite mostly because almost all of my services (with low traffic and mostly only me as user) already use it. To be fair, and one really can't expect anything else, the script is quite straight forward. It uses regexps to parse the logs, which for the moment is good enough. I'm "releasing" it as is, because I'm tired, but you'll find some surprises around parsing the request line (see <code>request_re</code> and its handling); some janky ways to convert from <code>str</code> to <code>int</code> or <code>datetime</code>; and an iteration trick to use <code>dataclass</code>es as <code>execute()</code> argument. I omited some comments and all the testing:</p> <div class="code"><pre class="code literal-block"><span class="ch">#! /usr/bin/env python3</span> <span class="kn">from</span><span class="w"> </span><span class="nn">dataclasses</span><span class="w"> </span><span class="kn">import</span> <span class="n">dataclass</span> <span class="kn">from</span><span class="w"> </span><span class="nn">datetime</span><span class="w"> </span><span class="kn">import</span> <span class="n">datetime</span><span class="p">,</span> <span class="n">timedelta</span><span class="p">,</span> <span class="n">timezone</span><span class="p">,</span> <span class="n">tzinfo</span> <span class="kn">import</span><span class="w"> </span><span class="nn">pathlib</span> <span class="kn">import</span><span class="w"> </span><span class="nn">re</span> <span class="kn">import</span><span class="w"> </span><span class="nn">sqlite3</span> <span class="kn">import</span><span class="w"> </span><span class="nn">sys</span> <span class="c1"># I miss dinant</span> <span class="c1"># no 0-255 range check since this is written by apache</span> <span class="c1"># if the number is not in that range, we have bigger problems</span> <span class="n">octet_re</span> <span class="o">=</span> <span class="sa">r</span><span class="s1">'\d{1,3}'</span> <span class="n">ip_re</span> <span class="o">=</span> <span class="sa">r</span><span class="s1">'\.'</span><span class="o">.</span><span class="n">join</span><span class="p">([</span> <span class="n">octet_re</span> <span class="p">]</span> <span class="o">*</span> <span class="mi">4</span><span class="p">)</span> <span class="n">word_re</span> <span class="o">=</span> <span class="sa">r</span><span class="s1">'[^ ]+'</span> <span class="n">identd_user_re</span> <span class="o">=</span> <span class="n">word_re</span> <span class="c1"># it can be '-'</span> <span class="n">user_id_re</span> <span class="o">=</span> <span class="n">word_re</span> <span class="c1"># it can be '-'</span> <span class="n">month_names</span> <span class="o">=</span> <span class="p">[</span> <span class="s1">'Jan'</span><span class="p">,</span> <span class="s1">'Feb'</span><span class="p">,</span> <span class="s1">'Mar'</span><span class="p">,</span> <span class="s1">'Apr'</span><span class="p">,</span> <span class="s1">'May'</span><span class="p">,</span> <span class="s1">'Jun'</span><span class="p">,</span> <span class="s1">'Jul'</span><span class="p">,</span> <span class="s1">'Aug'</span><span class="p">,</span> <span class="s1">'Sep'</span><span class="p">,</span> <span class="s1">'Oct'</span><span class="p">,</span> <span class="s1">'Nov'</span><span class="p">,</span> <span class="s1">'Dec'</span> <span class="p">]</span> <span class="n">day_re</span> <span class="o">=</span> <span class="sa">r</span><span class="s1">'\d{1,2}'</span> <span class="n">month_re</span> <span class="o">=</span> <span class="sa">f</span><span class="s2">"(?:</span><span class="si">{</span><span class="s1">'|'</span><span class="o">.</span><span class="n">join</span><span class="p">(</span><span class="n">month_names</span><span class="p">)</span><span class="si">}</span><span class="s2">)"</span> <span class="n">year_re</span> <span class="o">=</span> <span class="sa">r</span><span class="s1">'\d</span><span class="si">{4}</span><span class="s1">'</span> <span class="n">date_re</span> <span class="o">=</span> <span class="sa">f</span><span class="s2">"(</span><span class="si">{</span><span class="n">day_re</span><span class="si">}</span><span class="s2">)/(</span><span class="si">{</span><span class="n">month_re</span><span class="si">}</span><span class="s2">)/(</span><span class="si">{</span><span class="n">year_re</span><span class="si">}</span><span class="s2">)"</span> <span class="n">time_re</span> <span class="o">=</span> <span class="sa">r</span><span class="s1">'(\d</span><span class="si">{2}</span><span class="s1">):(\d</span><span class="si">{2}</span><span class="s1">):(\d</span><span class="si">{2}</span><span class="s1">)'</span> <span class="n">utc_offset_re</span> <span class="o">=</span> <span class="sa">r</span><span class="s1">'(?:\+|\-)\d</span><span class="si">{4}</span><span class="s1">'</span> <span class="c1"># no capture</span> <span class="c1"># fscking double escaping :(</span> <span class="n">date_time_re</span> <span class="o">=</span> <span class="sa">f</span><span class="s2">"</span><span class="se">\\</span><span class="s2">[</span><span class="si">{</span><span class="n">date_re</span><span class="si">}</span><span class="s2">:</span><span class="si">{</span><span class="n">time_re</span><span class="si">}</span><span class="s2"> (</span><span class="si">{</span><span class="n">utc_offset_re</span><span class="si">}</span><span class="s2">)</span><span class="se">\\</span><span class="s2">]"</span> <span class="n">method_re</span> <span class="o">=</span> <span class="n">word_re</span> <span class="n">url_re</span> <span class="o">=</span> <span class="n">word_re</span> <span class="c1"># technically not a word, but word_re is too generic</span> <span class="n">proto_re</span> <span class="o">=</span> <span class="sa">r</span><span class="s1">'HTTP'</span> <span class="c1"># who are we kidding</span> <span class="n">version_re</span> <span class="o">=</span> <span class="sa">r</span><span class="s1">'\d\.\d'</span> <span class="c1"># who are we kidding</span> <span class="n">proto_and_version_re</span> <span class="o">=</span> <span class="sa">f</span><span class="s2">"(</span><span class="si">{</span><span class="n">proto_re</span><span class="si">}</span><span class="s2">)/(</span><span class="si">{</span><span class="n">version_re</span><span class="si">}</span><span class="s2">)"</span> <span class="c1"># idiot skrip kidz send no method or proto/version!</span> <span class="c1"># and re is silly? enough to produce empty matches for the ()s here</span> <span class="c1"># oh, but re.compile().match().groups() returns things like</span> <span class="c1"># (None, None, None, None, '', '\\x16\\x03\\x02\\x01o\\x01', '', '')</span> <span class="c1"># so we gained nothing</span> <span class="n">request_re</span> <span class="o">=</span> <span class="sa">f</span><span class="s1">'"(?:(</span><span class="si">{</span><span class="n">method_re</span><span class="si">}</span><span class="s1">) (</span><span class="si">{</span><span class="n">url_re</span><span class="si">}</span><span class="s1">) </span><span class="si">{</span><span class="n">proto_and_version_re</span><span class="si">}</span><span class="s1">|()(</span><span class="si">{</span><span class="n">url_re</span><span class="si">}</span><span class="s1">)()())"'</span> <span class="n">number_re</span> <span class="o">=</span> <span class="sa">r</span><span class="s1">'\d+'</span> <span class="n">http_status_re</span> <span class="o">=</span> <span class="n">number_re</span> <span class="n">bytes_rx_re</span> <span class="o">=</span> <span class="n">number_re</span> <span class="n">bytes_tx_re</span> <span class="o">=</span> <span class="n">number_re</span> <span class="n">ttfb_re</span> <span class="o">=</span> <span class="sa">f</span><span class="s2">"(?:</span><span class="si">{</span><span class="n">number_re</span><span class="si">}</span><span class="s2">|-)"</span> <span class="n">response_time_re</span> <span class="o">=</span> <span class="n">number_re</span> <span class="n">double_quoted_text_re</span> <span class="o">=</span> <span class="sa">r</span><span class="s1">'"([^"]+)"'</span> <span class="n">referer_re</span> <span class="o">=</span> <span class="n">double_quoted_text_re</span> <span class="n">user_agent_re</span> <span class="o">=</span> <span class="n">double_quoted_text_re</span> <span class="n">log_line_re</span> <span class="o">=</span> <span class="n">re</span><span class="o">.</span><span class="n">compile</span><span class="p">(</span><span class="sa">f</span><span class="s2">"^(</span><span class="si">{</span><span class="n">ip_re</span><span class="si">}</span><span class="s2">) (</span><span class="si">{</span><span class="n">identd_user_re</span><span class="si">}</span><span class="s2">) (</span><span class="si">{</span><span class="n">user_id_re</span><span class="si">}</span><span class="s2">) </span><span class="si">{</span><span class="n">date_time_re</span><span class="si">}</span><span class="s2"> </span><span class="si">{</span><span class="n">request_re</span><span class="si">}</span><span class="s2"> (</span><span class="si">{</span><span class="n">http_status_re</span><span class="si">}</span><span class="s2">) (</span><span class="si">{</span><span class="n">bytes_rx_re</span><span class="si">}</span><span class="s2">) (</span><span class="si">{</span><span class="n">bytes_tx_re</span><span class="si">}</span><span class="s2">) (</span><span class="si">{</span><span class="n">ttfb_re</span><span class="si">}</span><span class="s2">) (</span><span class="si">{</span><span class="n">response_time_re</span><span class="si">}</span><span class="s2">) </span><span class="si">{</span><span class="n">referer_re</span><span class="si">}</span><span class="s2"> </span><span class="si">{</span><span class="n">user_agent_re</span><span class="si">}</span><span class="s2">$"</span><span class="p">)</span> <span class="nd">@dataclass</span> <span class="k">class</span><span class="w"> </span><span class="nc">LogRecord</span><span class="p">:</span> <span class="n">client_ip</span><span class="p">:</span> <span class="nb">str</span> <span class="c1"># 0</span> <span class="n">indent_user</span><span class="p">:</span> <span class="nb">str</span> <span class="n">user_id</span><span class="p">:</span> <span class="nb">str</span> <span class="n">date_time</span><span class="p">:</span> <span class="n">datetime</span> <span class="n">method</span><span class="p">:</span> <span class="nb">str</span> <span class="n">url</span><span class="p">:</span> <span class="nb">str</span> <span class="c1"># 5</span> <span class="n">protocol</span><span class="p">:</span> <span class="nb">str</span> <span class="n">protocol_version</span><span class="p">:</span> <span class="nb">str</span> <span class="c1"># could be float, but we don't really care; besides, x.y.z?</span> <span class="n">status</span><span class="p">:</span> <span class="nb">int</span> <span class="n">bytes_rx</span><span class="p">:</span> <span class="nb">int</span> <span class="n">bytes_tx</span><span class="p">:</span> <span class="nb">int</span> <span class="c1"># 10</span> <span class="n">ttfb</span><span class="p">:</span> <span class="nb">int</span> <span class="c1"># maybe -!</span> <span class="n">response_time</span><span class="p">:</span> <span class="nb">int</span> <span class="n">referer</span><span class="p">:</span> <span class="nb">str</span> <span class="n">user_agent</span><span class="p">:</span> <span class="nb">str</span> <span class="nd">@classmethod</span> <span class="k">def</span><span class="w"> </span><span class="nf">from_log_line</span><span class="p">(</span><span class="bp">cls</span><span class="p">,</span> <span class="n">line</span><span class="p">):</span> <span class="n">match</span> <span class="o">=</span> <span class="n">log_line_re</span><span class="o">.</span><span class="n">match</span><span class="p">(</span><span class="n">line</span><span class="p">)</span> <span class="k">if</span> <span class="n">match</span> <span class="ow">is</span> <span class="kc">None</span><span class="p">:</span> <span class="k">raise</span> <span class="ne">ValueError</span><span class="p">(</span><span class="sa">f</span><span class="s2">"Malformed line: </span><span class="si">{</span><span class="n">line</span><span class="o">.</span><span class="n">strip</span><span class="p">()</span><span class="si">}</span><span class="s2">"</span><span class="p">)</span> <span class="n">data</span> <span class="o">=</span> <span class="nb">list</span><span class="p">(</span><span class="n">match</span><span class="o">.</span><span class="n">groups</span><span class="p">())</span> <span class="n">new_data</span> <span class="o">=</span> <span class="p">[]</span> <span class="n">group_index</span> <span class="o">=</span> <span class="mi">0</span> <span class="k">for</span> <span class="n">field_index</span><span class="p">,</span> <span class="p">(</span><span class="n">name</span><span class="p">,</span> <span class="n">field</span><span class="p">)</span> <span class="ow">in</span> <span class="nb">enumerate</span><span class="p">(</span><span class="bp">cls</span><span class="o">.</span><span class="n">__dataclass_fields__</span><span class="o">.</span><span class="n">items</span><span class="p">()):</span> <span class="k">if</span> <span class="n">field</span><span class="o">.</span><span class="n">type</span> <span class="o">==</span> <span class="n">datetime</span><span class="p">:</span> <span class="c1"># [11/May/2026:20:15:28 +0200]</span> <span class="c1"># convert month str to number</span> <span class="n">data</span><span class="p">[</span><span class="n">group_index</span><span class="o">+</span><span class="mi">1</span><span class="p">]</span> <span class="o">=</span> <span class="n">month_names</span><span class="o">.</span><span class="n">index</span><span class="p">(</span><span class="n">data</span><span class="p">[</span><span class="n">group_index</span><span class="o">+</span><span class="mi">1</span><span class="p">])</span> <span class="o">+</span> <span class="mi">1</span> <span class="c1"># convert to ints</span> <span class="n">data</span><span class="p">[</span><span class="n">group_index</span><span class="p">:</span><span class="n">group_index</span><span class="o">+</span><span class="mi">6</span><span class="p">]</span> <span class="o">=</span> <span class="p">[</span> <span class="nb">int</span><span class="p">(</span><span class="n">x</span><span class="p">)</span> <span class="k">for</span> <span class="n">x</span> <span class="ow">in</span> <span class="n">data</span><span class="p">[</span><span class="n">group_index</span><span class="p">:</span><span class="n">group_index</span><span class="o">+</span><span class="mi">6</span><span class="p">]</span> <span class="p">]</span> <span class="n">new_data</span><span class="o">.</span><span class="n">append</span><span class="p">(</span> <span class="n">datetime</span><span class="p">(</span><span class="n">data</span><span class="p">[</span><span class="n">group_index</span><span class="o">+</span><span class="mi">2</span><span class="p">],</span> <span class="n">data</span><span class="p">[</span><span class="n">group_index</span><span class="o">+</span><span class="mi">1</span><span class="p">],</span> <span class="n">data</span><span class="p">[</span><span class="n">group_index</span><span class="p">],</span> <span class="n">data</span><span class="p">[</span><span class="n">group_index</span><span class="o">+</span><span class="mi">3</span><span class="p">],</span> <span class="n">data</span><span class="p">[</span><span class="n">group_index</span><span class="o">+</span><span class="mi">4</span><span class="p">],</span> <span class="n">data</span><span class="p">[</span><span class="n">group_index</span><span class="o">+</span><span class="mi">5</span><span class="p">],</span> <span class="mi">0</span><span class="p">,</span> <span class="n">utc_offset2tzinfo</span><span class="p">(</span><span class="n">data</span><span class="p">[</span><span class="n">group_index</span><span class="o">+</span><span class="mi">6</span><span class="p">]))</span> <span class="p">)</span> <span class="n">group_index</span> <span class="o">+=</span> <span class="mi">7</span> <span class="k">continue</span> <span class="c1"># handle ttfb as -</span> <span class="k">if</span> <span class="n">field_index</span> <span class="o">==</span> <span class="mi">11</span> <span class="ow">and</span> <span class="n">data</span><span class="p">[</span><span class="n">group_index</span><span class="p">]</span> <span class="o">==</span> <span class="s1">'-'</span><span class="p">:</span> <span class="c1"># </span> <span class="n">data</span><span class="p">[</span><span class="n">group_index</span><span class="p">]</span> <span class="o">=</span> <span class="n">data</span><span class="p">[</span><span class="n">group_index</span><span class="o">+</span><span class="mi">1</span><span class="p">]</span> <span class="k">if</span> <span class="n">data</span><span class="p">[</span><span class="n">group_index</span><span class="p">:</span><span class="n">group_index</span><span class="o">+</span><span class="mi">4</span><span class="p">]</span> <span class="o">==</span> <span class="p">[</span> <span class="kc">None</span><span class="p">,</span> <span class="kc">None</span><span class="p">,</span> <span class="kc">None</span><span class="p">,</span> <span class="kc">None</span> <span class="p">]:</span> <span class="k">if</span> <span class="n">group_index</span> <span class="ow">in</span> <span class="p">(</span><span class="mi">10</span><span class="p">,</span> <span class="mi">14</span><span class="p">):</span> <span class="c1"># handle (None, None, None, None, '', '\\x16\\x03\\x02\\x01o\\x01', '', '')</span> <span class="c1"># handle ('GET', '/', 'HTTP', '1.0', None, None, None, None)</span> <span class="c1"># no need to add anything, it's handled by the fallback</span> <span class="c1"># but we still need to skip this cruft</span> <span class="n">group_index</span> <span class="o">+=</span> <span class="mi">4</span> <span class="k">else</span><span class="p">:</span> <span class="k">raise</span> <span class="ne">ValueError</span><span class="p">(</span><span class="sa">f</span><span class="s2">"Got confused: </span><span class="si">{</span><span class="p">(</span><span class="n">field_index</span><span class="p">,</span><span class="w"> </span><span class="n">field</span><span class="o">.</span><span class="n">type</span><span class="p">,</span><span class="w"> </span><span class="n">group_index</span><span class="p">,</span><span class="w"> </span><span class="n">data</span><span class="p">[</span><span class="n">group_index</span><span class="p">],</span><span class="w"> </span><span class="n">new_data</span><span class="p">)</span><span class="si">}</span><span class="s2">"</span><span class="p">)</span> <span class="c1"># convert ints</span> <span class="k">if</span> <span class="n">field</span><span class="o">.</span><span class="n">type</span> <span class="o">==</span> <span class="nb">int</span><span class="p">:</span> <span class="n">data</span><span class="p">[</span><span class="n">group_index</span><span class="p">]</span> <span class="o">=</span> <span class="nb">int</span><span class="p">(</span><span class="n">data</span><span class="p">[</span><span class="n">group_index</span><span class="p">])</span> <span class="c1"># fallback</span> <span class="n">new_data</span><span class="o">.</span><span class="n">append</span><span class="p">(</span><span class="n">data</span><span class="p">[</span><span class="n">group_index</span><span class="p">])</span> <span class="n">group_index</span> <span class="o">+=</span> <span class="mi">1</span> <span class="k">return</span> <span class="bp">cls</span><span class="p">(</span><span class="o">*</span><span class="n">new_data</span><span class="p">)</span> <span class="c1"># implement the iterator protocol so we can mostly be passed as argument to execute()</span> <span class="k">def</span><span class="w"> </span><span class="fm">__iter__</span><span class="p">(</span><span class="bp">self</span><span class="p">):</span> <span class="k">return</span> <span class="bp">self</span> <span class="k">def</span><span class="w"> </span><span class="fm">__iter__</span><span class="p">(</span><span class="bp">self</span><span class="p">):</span> <span class="k">for</span> <span class="n">value</span> <span class="ow">in</span> <span class="bp">self</span><span class="o">.</span><span class="vm">__dict__</span><span class="o">.</span><span class="n">values</span><span class="p">():</span> <span class="c1"># the whole protocol could be replaced with .__dataclass_fields__.values() :shrug:</span> <span class="c1"># but this way I can do further conversions</span> <span class="k">if</span> <span class="nb">type</span><span class="p">(</span><span class="n">value</span><span class="p">)</span> <span class="o">==</span> <span class="n">datetime</span><span class="p">:</span> <span class="n">value</span> <span class="o">=</span> <span class="nb">int</span><span class="p">(</span><span class="n">value</span><span class="o">.</span><span class="n">timestamp</span><span class="p">())</span> <span class="k">yield</span> <span class="n">value</span> <span class="k">def</span><span class="w"> </span><span class="nf">utc_offset2tzinfo</span><span class="p">(</span><span class="n">offset</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="n">tzinfo</span><span class="p">:</span> <span class="c1"># +0200</span> <span class="n">hours</span> <span class="o">=</span> <span class="nb">int</span><span class="p">(</span><span class="n">offset</span><span class="p">[:</span><span class="mi">3</span><span class="p">])</span> <span class="c1"># +02</span> <span class="n">minutes</span> <span class="o">=</span> <span class="nb">int</span><span class="p">(</span><span class="n">offset</span><span class="p">[</span><span class="mi">3</span><span class="p">:])</span> <span class="c1"># 00</span> <span class="k">return</span> <span class="n">timezone</span><span class="p">(</span><span class="n">timedelta</span><span class="p">(</span><span class="n">hours</span><span class="o">=</span><span class="n">hours</span><span class="p">,</span> <span class="n">minutes</span><span class="o">=</span><span class="n">minutes</span><span class="p">),</span> <span class="n">offset</span><span class="p">)</span> <span class="k">def</span><span class="w"> </span><span class="nf">connect</span><span class="p">():</span> <span class="c1"># if we test after sqlite3.connect(), the file is already created</span> <span class="n">create</span> <span class="o">=</span> <span class="ow">not</span> <span class="n">pathlib</span><span class="o">.</span><span class="n">Path</span><span class="p">(</span><span class="s1">'./apache_logs.db'</span><span class="p">)</span><span class="o">.</span><span class="n">exists</span><span class="p">()</span> <span class="n">conn</span> <span class="o">=</span> <span class="n">sqlite3</span><span class="o">.</span><span class="n">connect</span><span class="p">(</span><span class="s1">'./apache_logs.db'</span><span class="p">)</span> <span class="k">if</span> <span class="n">create</span><span class="p">:</span> <span class="n">conn</span><span class="o">.</span><span class="n">cursor</span><span class="p">()</span><span class="o">.</span><span class="n">execute</span><span class="p">(</span><span class="s1">'''</span> <span class="s1">CREATE TABLE "logs" (</span> <span class="s1"> "client" TEXT,</span> <span class="s1"> "indent_user" TEXT,</span> <span class="s1"> "user_id" TEXT,</span> <span class="s1"> "timestamp" INTEGER,</span> <span class="s1"> "method" TEXT,</span> <span class="s1"> "url" TEXT,</span> <span class="s1"> "protocol" TEXT,</span> <span class="s1"> "protocol_version" TEXT,</span> <span class="s1"> "status" INTEGER,</span> <span class="s1"> "bytes_rx" INTEGER,</span> <span class="s1"> "bytes_tx" INTEGER,</span> <span class="s1"> "ttfb" INTEGER,</span> <span class="s1"> "response_time" INTEGER,</span> <span class="s1"> "referer" TEXT,</span> <span class="s1"> "user_agent" TEXT</span> <span class="s1">);'''</span><span class="p">)</span> <span class="k">return</span> <span class="n">conn</span> <span class="k">def</span><span class="w"> </span><span class="nf">main</span><span class="p">():</span> <span class="n">conn</span> <span class="o">=</span> <span class="n">connect</span><span class="p">()</span> <span class="n">cursor</span> <span class="o">=</span> <span class="n">conn</span><span class="o">.</span><span class="n">cursor</span><span class="p">()</span> <span class="k">for</span> <span class="n">line</span> <span class="ow">in</span> <span class="n">sys</span><span class="o">.</span><span class="n">stdin</span><span class="p">:</span> <span class="k">try</span><span class="p">:</span> <span class="n">log_record</span> <span class="o">=</span> <span class="n">LogRecord</span><span class="o">.</span><span class="n">from_log_line</span><span class="p">(</span><span class="n">line</span><span class="p">)</span> <span class="k">except</span> <span class="ne">ValueError</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span> <span class="nb">print</span><span class="p">(</span><span class="n">e</span><span class="o">.</span><span class="n">args</span><span class="p">[</span><span class="mi">0</span><span class="p">])</span> <span class="k">continue</span> <span class="n">cursor</span><span class="o">.</span><span class="n">execute</span><span class="p">(</span><span class="s1">'''INSERT INTO logs VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)'''</span><span class="p">,</span> <span class="nb">tuple</span><span class="p">(</span><span class="n">log_record</span><span class="p">))</span> <span class="n">conn</span><span class="o">.</span><span class="n">commit</span><span class="p">()</span> <span class="k">if</span> <span class="vm">__name__</span> <span class="o">==</span> <span class="s1">'__main__'</span><span class="p">:</span> <span class="n">main</span><span class="p">()</span> </pre></div> <p>One of the things I didn't do was to further play with the URLs. One could make list of different apps based on whether there is any routing to different services, like in the cases of my previous job and my own server; or even different subdivisions on a single app, like for NextCloud:</p> <div class="code"><pre class="code literal-block"><span class="n">ocs</span><span class="o">/</span><span class="n">v2</span><span class="p">.</span><span class="n">php</span><span class="o">/</span><span class="n">apps</span><span class="o">/</span><span class="n">serverinfo</span> <span class="n">remote</span><span class="p">.</span><span class="n">php</span><span class="o">/</span><span class="n">dav</span><span class="o">/</span><span class="n">files</span><span class="o">/</span><span class="n">USER</span> <span class="n">remote</span><span class="p">.</span><span class="n">php</span><span class="o">/</span><span class="n">dav</span><span class="o">/</span><span class="n">calendars</span><span class="o">/</span><span class="n">USER</span><span class="o">/</span><span class="n">CALENDAR</span><span class="o">/</span> </pre></div> <p>etc. I haven't really thought about it; it could be implemented either as more columns or extra tables.</p> <p>Today I managed to finish the rest.</p> <p>The next step is to install this so it runs constantly with the output of <code>tail --follow=name --retry</code> piped into its <code>stdin</code><sup id="fnref:1"><a class="footnote-ref" href="https://www.grulic.org.ar/~mdione/glob/posts/monitoring-apache-with-sql-and-grafana/#fn:1">1</a></sup>. Left as an exercise for the reader; use SystemD units :)</p> <p>Next is installing <a href="https://github.com/fr-ser/grafana-sqlite-datasource">Grafana's plugin to read SQLite</a> and declare the new Grafana datasource.</p> <p>The hard part was to query the data in a way that was useful for Grafana. I managed to get a query like:</p> <div class="code"><pre class="code literal-block"><span class="c1">-- round to the minute</span> <span class="k">SELECT</span><span class="w"> </span><span class="k">timestamp</span><span class="o">/</span><span class="mi">60</span><span class="o">*</span><span class="mi">60</span><span class="w"> </span><span class="k">AS</span><span class="w"> </span><span class="k">time</span><span class="p">,</span><span class="w"> </span><span class="n">status</span><span class="p">,</span><span class="w"> </span><span class="k">COUNT</span><span class="p">(</span><span class="n">status</span><span class="p">)</span><span class="w"> </span><span class="k">as</span><span class="w"> </span><span class="ss">"count"</span> <span class="k">FROM</span><span class="w"> </span><span class="n">logs</span> <span class="c1">-- $__from and $__to are defined by Grafana based on the dashboards's time range</span> <span class="k">WHERE</span><span class="w"> </span><span class="k">timestamp</span><span class="w"> </span><span class="o">&gt;=</span><span class="w"> </span><span class="err">$</span><span class="n">__from</span><span class="w"> </span><span class="o">/</span><span class="w"> </span><span class="mi">1000</span><span class="w"> </span><span class="k">and</span><span class="w"> </span><span class="k">timestamp</span><span class="w"> </span><span class="o">&lt;</span><span class="w"> </span><span class="err">$</span><span class="n">__to</span><span class="w"> </span><span class="o">/</span><span class="w"> </span><span class="mi">1000</span> <span class="k">GROUP</span><span class="w"> </span><span class="k">BY</span><span class="w"> </span><span class="k">timestamp</span><span class="o">/</span><span class="mi">60</span><span class="p">,</span><span class="w"> </span><span class="n">status</span> </pre></div> <p>to get the count of different status codes per minute<sup id="fnref:2"><a class="footnote-ref" href="https://www.grulic.org.ar/~mdione/glob/posts/monitoring-apache-with-sql-and-grafana/#fn:2">2</a></sup>. But this returns a table that looks like:</p> <div class="code"><pre class="code literal-block"> time | status | count 1778533620 | 200 | 30 1778533620 | 207 | 3 1778533620 | 403 | 1 </pre></div> <p>while Grafana is expecting one line per sample (but remember we're aggregating data) and one column per data series:</p> <div class="code"><pre class="code literal-block"> time | 200 | 207 | 403 1778533620 | 30 | 3 | 1 </pre></div> <p>I read how to pivot this in SQL, but it mostly works only if you know the different values for the <code>status</code> column beforehand. This might be feasible with <a href="https://en.wikipedia.org/w/index.php?title=List_of_HTTP_status_codes">HTTP status codes</a> (I count 63 standard ones, including the joke <code>418 I'm a teapot</code>), but that would be impossible for the <code>referer</code> or <code>user_agent</code> columns.</p> <p>Thanks to <code>iRobbery#postgresql@libera.chat</code> I found about <a href="https://community.grafana.com/t/merging-rows-with-same-timestamp-for-time-series/103254/3">Grafana's Partition by values data transformation</a>. Aplying it to the column that defines the time series (<code>status</code>, etc), it gives us exactly what we want!</p> <p><img alt="" src="https://www.grulic.org.ar/~mdione/glob/images/Screenshot_20260512_210706.png"></p> <p>And one can even include a pure table with all the logs to inspect when one finds weird spikes or values. I made almost impossible queries like transferred bytes per URL, methods per client and more! One missing piece, i possible, would be to implement histograms, <a href="https://www.grulic.org.ar/~mdione/glob/posts/monitoring-apache-with-prometheus-and-grafana/">like last time we looked into this</a>.</p> <div class="footnote"> <hr> <ol> <li id="fn:1"> <p>One could cite the UNIX philosophy, but seriously, who wants to reimplement all the corner cases of that <code>tail</code> invocation? See for instance <a href="https://www.phoronix.com/news/Ubuntu-Rust-Coreutils-Audit">the 113 bugs found in the coreutils Rust reimplementaiton</a> <a class="footnote-backref" href="https://www.grulic.org.ar/~mdione/glob/posts/monitoring-apache-with-sql-and-grafana/#fnref:1" title="Jump back to footnote 1 in the text">↩</a></p> </li> <li id="fn:2"> <p>One could use a dashboard variable to control this arbitrarily. One could get granularity per second! <a class="footnote-backref" href="https://www.grulic.org.ar/~mdione/glob/posts/monitoring-apache-with-sql-and-grafana/#fnref:2" title="Jump back to footnote 2 in the text">↩</a></p> </li> </ol> </div>apachegrafanamonitoringpythonhttps://www.grulic.org.ar/~mdione/glob/posts/monitoring-apache-with-sql-and-grafana/Tue, 12 May 2026 18:07:46 GMTMonitoring apache with prometheus and grafanahttps://www.grulic.org.ar/~mdione/glob/posts/monitoring-apache-with-prometheus-and-grafana/Marcos Dione<p><em>NE: this one is not going to be that coherent either, even when I'm actually writing it. Again, sorry for the mess.</em></p> <p>Since nobody seems to have ever written a blog post about this beyond the basic 'explain + install + graph one metric in grafana', here's my take.</p> <p>Analyzing Apache activity with tools like prometheus and grafana is not easy task, mostly because the kind of things that Apache can do is quite varied: it could be serving static files, of any size, receiving uploads, answering API calls, thin REST ones or big fat heavy ones, or even offloading SSL or just proxying to other services. So the first thing you have to ask yourself is: what does my Apache do?</p> <p>In my case it's two things:</p> <ul> <li> <p>Serving static files, mostly map tiles and photos. These vary in size a lot: tiles are usually small, but I also have big 12MiB photos and at least 2 scaled down versions, the thumbnail and the gallery main image. These thumbnails and main image are generated from the originals and cached.</p> </li> <li> <p>Serving a few services: webmail, rss reader and 'cloud' suit (file sharing, calendars, etc).</p> </li> </ul> <p>Second, you have to define what do you actually want to know about it. There are many options: What's my error rate? How long does it take to serve requests? What about queries whose payload can wildly vary in size? What about uploads?</p> <p>You can also ask yourself about those values: Do I wan to know it in general, by any individual URL, by certain prefixes...?</p> <p>These question should lead you to define certain things, including changes you might need to do to Apache. For instance, Apache's 'combined' log format include only status and written size (including headers), but neither read size, response time or time to first byte. TTFB is an important value to know for requests that either upload or download lots of data; for instance, in my case, the gallery's images. TTFB will tell you much time you spend before starting your answer. Even then, this value can be misleading, since there's nothing to prevent a framework or application to send headers as long as their values are calculated, but still have to much computation before actually sending the <em>payload</em> of the response.</p> <div class="code"><pre class="code literal-block"><span class="gh">#</span> enable time to first byte LogIOTrackTTFB ON LogFormat "%h %l %u %t \"%r\" %&gt;s %I %O %^FB %D \"%{Referer}i\" \"%{User-Agent}i\"" combined_io </pre></div> <p>So, where do we start about this? A good starting point is <a href="https://www.robustperception.io/getting-metrics-from-apache-logs-using-the-grok-exporter/">Brian Brazil's oldish post</a>, where he mentions the Grok Exporter, but there is no version in Debian. This means, I need a binary release. Unfortunately, the GE <a href="https://github.com/fstab/grok_exporter/issues/189">seems to be abandoned</a> by its original developer. The people at SysDigLabs <a href="https://github.com/sysdiglabs/grok_exporter">maintain a fork</a>, but they seem to have mostly focused on doing only maintenance around CI, dependencies, but no major code changes. None of the 11 pull requests or the 70 issues in the orignal repo seem to be addressed. I don't blame them, I'm just pointing it out. Besides, they're not providing binaries, except if you count a docker image as such.</p> <p>So I decided to pick another fork. Of them all, a couple of them do provide binary releases, so I just <a href="https://github.com/coalfire/grok_exporter/releases">picked one</a>.</p> <p>Meanwhile, I also thought that since I was already modifying Apache's log, I could do it in such a way that it would write CSV instead and use <a href="https://github.com/stohrendorf/csv-prometheus-exporter">the CVS exporter</a>. But since the GE is already there, some people seem to be using it, and this other one for some reason mentions SSH, I decided to stick to GE.</p> <p>Ok, we install the GE, enable and start the systemd service. This involves extracting the zip, putting the binary and the systemd service unit file somewhere, call <code>systemd link</code> so it sees the new service, write the configuration file and place the pattern files you want in one of the pattern directories declare in the config file. Now what? Well, you can say this is the fun part.</p> <p>I decided to cut my monitoring by service. First to monitor was <a href="https://dionecanali.hd.free.fr/~mdione/Elevation/">my raster tile based map</a>. I butchered the original patterns for apache, splitting it into a prefix, a middle part that will match the path in the request, and a postfix that also adds the three new fields. This way I can write a middle section for each service. Things could be different if I was serving each one a different vhost. It also allowed me to capture parts of the path for instance to count served map tiles per zoom level. This was easy once I figured I had to do the last step of the previous paragraph, otherwise you get errors like <code>Pattern %{IP:client_ip} not defined</code>.</p> <div class="code"><pre class="code literal-block">HTTPD_LOG_PREFIX %{IP:client_ip} %{HTTPDUSER:ident} %{HTTPDUSER:auth} \[%{HTTPDATE:timestamp}\] HTTPD_LOG_POSTFIX %{NUMBER:status} (?:%{NUMBER:read}|-) (?:%{NUMBER:wrote}|-) (?:%{NUMBER:first_byte}|-) (?:%{NUMBER:total_time}|-) %{QS:referrer} %{QS:agent} ELEVATION_LOG %{HTTPD_LOG_PREFIX} "(?:%{WORD:verb} /~mdione/Elevation/%{NUMBER:zoom_level}/%{NOTSPACE}(?: HTTP/%{NUMBER:http_version})?|%{DATA:rawrequest})" %{HTTPD_LOG_POSTFIX} </pre></div> <p>Have you noticed Apache's log have this ugly format for timestamps? <code>18/Nov/2023:23:44:13 +0100</code>. Luckily we don't really needed them, otherwise this would be a nighmare just to parse and convert to something we can use.</p> <p>Now it's time to define the metrics. I wrote one metrics file per service. Since this is a static site, I built histograms for response time and response size. Just for fun, I also wrote one for FTTB. This is quite straightforward, except for one thing: defining the buckets. What I did was use <code>awk</code> to get the field I wanted, then <code>sort -n</code> and <code>less -N</code>. I was looking at around 1000 requests, so I made buckets of around 100 requests. This value will not be so easy to write for more wildly variant services. For instance, at $WORK we receive and send documents or bundles of documents to be signed. The size of these PDFs and bundles of them are virtually unlimited, and in fact, we're starting to experience issues where the servers freeze for up to 10m just chewing and digesting big uploads.</p> <div class="code"><pre class="code literal-block"><span class="o">-</span><span class="w"> </span><span class="k">type</span><span class="p">:</span><span class="w"> </span><span class="nx">histogram</span> <span class="w"> </span><span class="nx">name</span><span class="p">:</span><span class="w"> </span><span class="nx">elevation_tile_ttfb</span> <span class="w"> </span><span class="nx">help</span><span class="p">:</span><span class="w"> </span><span class="nx">Elevation</span><span class="w"> </span><span class="nx">tile</span><span class="w"> </span><span class="nx">Time</span><span class="o">-</span><span class="nx">To</span><span class="o">-</span><span class="nx">First</span><span class="o">-</span><span class="nx">Byte</span> <span class="w"> </span><span class="k">match</span><span class="p">:</span><span class="w"> </span><span class="err">'</span><span class="o">%</span><span class="p">{</span><span class="nx">ELEVATION_LOG</span><span class="p">}</span><span class="err">'</span> <span class="w"> </span><span class="nx">value</span><span class="p">:</span><span class="w"> </span><span class="err">'</span><span class="p">{{</span><span class="nx">multiply</span><span class="w"> </span><span class="p">.</span><span class="nx">first_byte</span><span class="w"> </span><span class="m m-Double">0.001</span><span class="p">}}</span><span class="err">'</span><span class="w"> </span><span class="err">#</span><span class="w"> </span><span class="nx">µs</span><span class="w"> </span><span class="nx">to</span><span class="w"> </span><span class="nx">ms</span> <span class="w"> </span><span class="nx">buckets</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="mi">1</span><span class="p">,</span><span class="w"> </span><span class="mi">10</span><span class="p">,</span><span class="w"> </span><span class="mi">20</span><span class="p">,</span><span class="w"> </span><span class="mi">30</span><span class="p">,</span><span class="w"> </span><span class="mi">40</span><span class="p">,</span><span class="w"> </span><span class="mi">50</span><span class="p">,</span><span class="w"> </span><span class="mi">75</span><span class="p">,</span><span class="w"> </span><span class="mi">100</span><span class="p">,</span><span class="w"> </span><span class="mi">150</span><span class="w"> </span><span class="p">]</span> <span class="o">-</span><span class="w"> </span><span class="k">type</span><span class="p">:</span><span class="w"> </span><span class="nx">counter</span> <span class="w"> </span><span class="nx">name</span><span class="p">:</span><span class="w"> </span><span class="nx">elevation_tile_zoom_level_count</span> <span class="w"> </span><span class="nx">help</span><span class="p">:</span><span class="w"> </span><span class="nx">Counts</span><span class="w"> </span><span class="nx">tiles</span><span class="w"> </span><span class="nx">per</span><span class="w"> </span><span class="nx">zoom</span><span class="w"> </span><span class="nx">level</span> <span class="w"> </span><span class="k">match</span><span class="p">:</span><span class="w"> </span><span class="err">'</span><span class="o">%</span><span class="p">{</span><span class="nx">ELEVATION_LOG</span><span class="p">}</span><span class="err">'</span> <span class="w"> </span><span class="nx">labels</span><span class="p">:</span> <span class="w"> </span><span class="nx">zoom_level</span><span class="p">:</span><span class="w"> </span><span class="err">'</span><span class="p">{{.</span><span class="nx">zoom_level</span><span class="p">}}</span><span class="err">'</span> </pre></div> <p>Last step of the chain, and quite frankly, the one that took me more time: having a nice graph in grafana. My grafana version is somewhat old (6.7.2 v 10.2.1!<sup id="fnref:1"><a class="footnote-ref" href="https://www.grulic.org.ar/~mdione/glob/posts/monitoring-apache-with-prometheus-and-grafana/#fn:1">1</a></sup>), so my only option is a heatmap panel. One thing to know about the grok exporter's metrics is that they're counters, so the first thing you have to do is to use <code>increase()</code> to get the derivative. I took me quite a long time to find out this (no, I can't say I figure it out, I read it <a href="https://grafana.com/blog/2020/06/23/how-to-visualize-prometheus-histograms-in-grafana/">here</a>). Second, Grafana by default assumes it has to massage the data to build the heat map, so you have to tell it that the data is already a histogram. In the same vein, you also have to tell it a <em>second time</em> you want a heatmap, this time as the query's format. I also hid zero values and made the tooltip a histogram. Play around with the rest of the settings.</p> <div class="code"><pre class="code literal-block"><span class="p">{</span> <span class="w"> </span><span class="s2">"type"</span><span class="p">:</span><span class="w"> </span><span class="s2">"heatmap"</span><span class="p">,</span> <span class="w"> </span><span class="s2">"targets"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span> <span class="w"> </span><span class="p">{</span> <span class="w"> </span><span class="s2">"expr"</span><span class="p">:</span><span class="w"> </span><span class="s2">"increase(gallery_ttfb_bucket[1m])"</span><span class="p">,</span> <span class="w"> </span><span class="s2">"legendFormat"</span><span class="p">:</span><span class="w"> </span><span class="s2">"{{le}}"</span><span class="p">,</span> <span class="w"> </span><span class="s2">"format"</span><span class="p">:</span><span class="w"> </span><span class="s2">"heatmap"</span> <span class="p">}</span> <span class="w"> </span><span class="p">],</span> <span class="w"> </span><span class="s2">"heatmap"</span><span class="p">:</span><span class="w"> </span><span class="p">{},</span> <span class="w"> </span><span class="s2">"dataFormat"</span><span class="p">:</span><span class="w"> </span><span class="s2">"tsbuckets"</span><span class="p">,</span> <span class="w"> </span><span class="s2">"yAxis"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span> <span class="w"> </span><span class="s2">"format"</span><span class="p">:</span><span class="w"> </span><span class="s2">"ms"</span><span class="p">,</span> <span class="w"> </span><span class="p">},</span> <span class="w"> </span><span class="s2">"tooltip"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span> <span class="w"> </span><span class="s2">"show"</span><span class="p">:</span><span class="w"> </span><span class="bp">true</span><span class="p">,</span> <span class="w"> </span><span class="s2">"showHistogram"</span><span class="p">:</span><span class="w"> </span><span class="bp">true</span> <span class="w"> </span><span class="p">},</span> <span class="w"> </span><span class="s2">"hideZeroBuckets"</span><span class="p">:</span><span class="w"> </span><span class="bp">true</span> <span class="p">}</span> </pre></div> <p>Here's the Gallery's dashboard:</p> <p><img alt="" src="https://www.grulic.org.ar/~mdione/glob/images/Screenshot_20231118_231939.png"></p> <p>It's me traversing my gallery. The first part is me getting into a directory that has never been seen, so the gallery had to generate all the thumbnails. That's why we're seeing TTFBs and RTs so high, but the sizes stay low, because they're all thumbnails. Then it's me poking around here and there, most of the time seing the thumbnail table, but sometimes navigating the photos one by one in their big version. No original version was downloaded. I think I'll have to let these run for a while an revisit the buckets. The one for the response size already needs an adjustment. Also notice that my home server is quite boring, I have to do synthetic usage just to have values to graph.</p> <p>One thing to notice here. Not once in this post I mention the word latency, even when it's one of the buzzwords around web services. About that I strongly suggest you to watch Gil Tene's <a href="https://www.youtube.com/watch?v=lJ8ydIuPFeU">How NOT to measure latency</a> talk. It's an oldie, but man it packs a lot of info, including demystifying quantiles and nines.</p> <h2>Update</h2> <p>Today I noticed that an anternative to the Grok Exporter is <a href="https://github.com/google/mtail/"><code>mtail</code></a>. It has the advantages that it's well maintained and already available in Debian, but on the other hand you have to program it. I'll stick to GE until a reason raises to switch to it.</p> <p>Also:</p> <ul> <li>Slight additions and clarifications.</li> <li>Fixed typos and removed dupes.</li> </ul> <div class="footnote"> <hr> <ol> <li id="fn:1"> <p>This was because I was using grafana from Debian and not <a href="https://grafana.com/docs/grafana/latest/setup-grafana/installation/debian/#install-from-apt-repository">their repository</a>. <a class="footnote-backref" href="https://www.grulic.org.ar/~mdione/glob/posts/monitoring-apache-with-prometheus-and-grafana/#fnref:1" title="Jump back to footnote 1 in the text">↩</a></p> </li> </ol> </div>apachegrafanaprometheushttps://www.grulic.org.ar/~mdione/glob/posts/monitoring-apache-with-prometheus-and-grafana/Sat, 18 Nov 2023 22:45:08 GMT