# Fix Apache CustomLog Path Not Writable Access Log Error

Apache refuses to start after a configuration change, and the error log shows:

bash
[Thu Apr 08 08:00:01.123456 2026] [core:error] [pid 2345] (13)Permission denied: AH00091: httpd: could not open error log file /var/log/apache2/custom-access.log.
[Thu Apr 08 08:00:01.123457 2026] [core:emerg] [pid 2345] AH00025: configuration error: couldn't perform authentication. AuthType not set!: /

The Apache process cannot write to the log file specified in the CustomLog directive. This commonly happens after creating a new virtual host, changing log paths, or modifying system permissions.

Diagnosing the Permission Issue

Check the log file's current ownership and permissions:

bash
ls -la /var/log/apache2/custom-access.log
ls -la /var/log/apache2/

The Apache worker process runs as www-data on Debian/Ubuntu or apache on RHEL/CentOS. The log directory and files must be writable by this user.

Fixing File and Directory Permissions

```bash # Ensure the directory is owned by root with group writable by Apache sudo chown root:adm /var/log/apache2/ sudo chmod 750 /var/log/apache2/

# Create the log file with correct ownership sudo touch /var/log/apache2/custom-access.log sudo chown www-data:adm /var/log/apache2/custom-access.log sudo chmod 640 /var/log/apache2/custom-access.log ```

On RHEL/CentOS:

bash
sudo touch /var/log/httpd/custom-access.log
sudo chown apache:apache /var/log/httpd/custom-access.log
sudo chmod 640 /var/log/httpd/custom-access.log

SELinux Blocking Access (RHEL/CentOS)

Even with correct file permissions, SELinux may block Apache from writing to the log file:

bash
ls -Z /var/log/httpd/custom-access.log

If the SELinux context is not httpd_log_t, Apache cannot write to it:

bash
sudo chcon -t httpd_log_t /var/log/httpd/custom-access.log
sudo restorecon -v /var/log/httpd/custom-access.log

To make the fix permanent for all files in the directory:

bash
sudo semanage fcontext -a -t httpd_log_t "/var/log/httpd(/.*)?"
sudo restorecon -Rv /var/log/httpd/

AppArmor Blocking Access (Ubuntu)

On Ubuntu with AppArmor enabled, the Apache profile may restrict log file locations:

bash
sudo aa-status | grep apache
cat /etc/apparmor.d/usr.sbin.apache2 | grep log

If your custom log path is not in the AppArmor profile, either move the log file to an allowed directory (/var/log/apache2/) or update the profile:

bash
sudo nano /etc/apparmor.d/local/usr.sbin.apache2

Add:

bash
/var/log/myapp/ rw,
/var/log/myapp/** rw,

Then reload AppArmor:

bash
sudo systemctl reload apparmor

Custom Log Configuration

Once permissions are correct, configure a useful custom log format:

apache
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %D" combined_with_time
CustomLog /var/log/apache2/custom-access.log combined_with_time

The %D variable adds the request processing time in microseconds. For conditional logging (e.g., only logging errors):

apache
CustomLog /var/log/apache2/error-only.log combined env=!IS_OK
SetEnvIf Status "^2" IS_OK

This logs only non-2xx responses, keeping the error-specific log smaller and more useful.

Testing the Fix

bash
sudo apachectl configtest
sudo systemctl reload apache2
curl -s http://localhost/ > /dev/null
tail -1 /var/log/apache2/custom-access.log

If the log entry appears, the permission issue is resolved. If not, check the main error log for additional permission messages.