How to Set LogLevel Debug for Specific Apache Modules Only (mod_authnz_ldap Example)


4 views

When troubleshooting Apache authentication modules like mod_authnz_ldap, setting LogLevel debug often drowns you in irrelevant SSL engine logs. Here's how to get clean debugging output for just the modules you care about.

Apache 2.3.6+ supports module-specific log levels through this syntax:

<IfModule mod_ssl.c>
    LogLevel ssl:info
</IfModule>
<IfModule mod_authnz_ldap.c>
    LogLevel authnz_ldap:debug
</IfModule>

For a VirtualHost handling LDAP authentication:

<VirtualHost *:443>
    # General logging level
    LogLevel warn
    
    # Module-specific levels
    LogLevel ssl:info
    LogLevel authz_core:debug
    LogLevel authnz_ldap:debug
    
    # Your other configuration
    SSLEngine on
    # ... other directives
</VirtualHost>

Use apachectl -M to confirm exact module names for your version. Common auth module identifiers include:

  • authn_core
  • authz_core
  • authnz_ldap
  • auth_basic

For older Apache versions, combine conditional logging with environment variables:

SetEnvIf Request_URI "^/secure-area" debug_auth
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %{debug_auth}e" debug_log
CustomLog logs/ssl_auth_debug.log debug_log env=debug_auth

Apache 2.4+ offers granular control through ErrorLogFormat:

ErrorLogFormat "[%{module}t] [%l] [pid %P] %F: %E: %M"
LogLevel authnz_ldap:debug
LogLevel ssl:warn

When troubleshooting authentication issues involving modules like mod_authnz_ldap, you'll often set LogLevel debug in your Apache configuration. However, this creates a significant problem:

[debug] ssl_engine_io.c(1830): | 0100: 12 23 e7 0f 45 1f 1f d3-ed 12 f8 12 1f a9 90 85  .+..(........... |
[debug] mod_authnz_ldap.c(474): [client 10.10.10.123] auth_ldap authenticate: accepting joe
[debug] ssl_engine_io.c(1830): | 0023: 23 ff 29 5a 4b bd 4c e6-bc 36 22 9c c3 22 c2 4b  ..)ZK.L..6u....K |

Apache actually allows you to set different log levels for specific modules using this syntax:

LogLevel info
LogLevel authnz_ldap:debug
LogLevel ssl:info

This configuration:

  • Sets global log level to info
  • Enables debug only for mod_authnz_ldap
  • Keeps SSL modules at info level

For more complex scenarios, you can combine multiple module filters:

<VirtualHost *:443>
    LogLevel warn
    LogLevel authn_core:debug
    LogLevel authnz_ldap:debug
    LogLevel authz_core:debug
    LogLevel ssl:warn
    
    # LDAP configuration would go here
</VirtualHost>

After making changes, always verify with:

apachectl configtest
systemctl reload apache2

Check your logs to confirm the SSL debug messages are gone while auth-related debug messages remain:

tail -f /var/log/apache2/error.log | grep -E 'authnz_ldap|auth'

For even more control, consider using SetEnvIf with custom logging:

SetEnvIf Request_URI "^/secure" debug_auth
CustomLog logs/auth_debug.log combined env=debug_auth

<Location /secure>
    LogLevel debug
    # Authentication configuration
</Location>