Question on tomcat logging

Question

I have read that as a good security practice it is good to enable usage logs to identify source of attacks etc.
This can happen using AccessLogValve.
My question is if anyone has experience in using this and if it has any affect on performance in production environments.

Thanks

Answer 1

Yes, there are performance indications.

How much of an impact it has depends on the volumetrics your site supports. If you have thousands of requests per minute, then it's probably not a great idea.

Some issues with earlier versions have been discussed on Tomcat mailing lists

Tomcat also introduced a FastCommonAccessLogValve in 5.5 but it seems to be deprecated from 6 onwards.

What you can do instead is to Filter the request patterns or IP addresses which you wish to log (if such a use case is possible) and then only log those. This is not using the inbuilt Valve but a custom Filter. Try whatever works for you

Answer 2

Anything you do has impact on performance. There are situations that force you to use an access log. You can measure the impact if you run JMeter against your web server. You will see that the impact does not hang your system or anything dramatic...

This impact depends on too many factors, so measuring yourself will give you a clear result. After all the access log files are meant to be used in production environments.

We use access log files for e-shops all the time. They provide useful user access behavioral information. Tagging has an impact on performance as well. Still if you want higher accuracy you may have to use both methods simultaneously.

Rich Internet Applications and Ajax alienate the access scheme, placing more processing to the browser of your client. GWT application i.e. render the tomcat access file useless and tagging will be necessary.

Make your log files rotatable in order to keep them in reasonable sizes and ftp them to another system in order to process them, according to the Data Warehouse principles.

Answer 3

Log write-access will be slower the more data the log contains. You need to make sure that you logrotate your accesslogs and outdate them. On a linux machine there is most of the times a daemon like "logrotated" which manages log sizes and rotation if configured properly.