Apache Log Files – POFTUT

Apache Log Files

by

Apache or with real name httpd provides logs. These logs are very helpful while detecting errors, attacks. There is two type of Apache logs by default. Log resides in following directories.

Log Path

Apache logs are stored in different paths because of name difference for different distributions. DEB or apt family uses the name apache2 and stores logs as apache2 but  the RPM yum family uses the name httpd and stores logs in the httpd directory.

/var/log/httpd/

  • CentOS
  • Redhat
  • Fedora

/var/log/apache2/

  • Ubuntu
  • Debian
  • Kali

Getting Log Files Directory

Log file directory can be changed with Apache configuration. Look in to configuration file to exact log path

Ubuntu,Debian,Kali

$ grep -r ErrorLog /etc/apache2

CentOS,Fedora, Red Hat

$ grep -r ErrorLog /etc/httpd

Error Logs

Error logs are generally related with service and http request errors. For different distributions different paths exists but generally similar paths are used.

We can read error logs like below. We use less to read.

$ less /var/log/httpd/error_log

[Wed Nov 02 10:39:21.845702 2016] [suexec:notice] [pid 11753] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec) 
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 192.168.122.179. Set the 'ServerName' di
rective globally to suppress this message 
[Wed Nov 02 10:39:21.863409 2016] [auth_digest:notice] [pid 11753] AH01757: generating secret for digest authentication ... 
[Wed Nov 02 10:39:21.863914 2016] [lbmethod_heartbeat:notice] [pid 11753] AH02282: No slotmem from mod_heartmonitor 
[Wed Nov 02 10:39:21.965402 2016] [mpm_prefork:notice] [pid 11753] AH00163: Apache/2.4.6 (CentOS) PHP/5.4.16 configured -- resuming n
ormal operations 
[Wed Nov 02 10:39:21.965427 2016] [core:notice] [pid 11753] AH00094: Command line: '/usr/sbin/httpd -D FOREGROUND'

We can also search error file with grep

$ grep suexec /var/log/httpd/error_log
      
[Wed Nov 02 10:39:21.845702 2016] [suexec:notice] [pid 11753] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec) 
[Wed Nov 02 12:02:22.495005 2016] [suexec:notice] [pid 11947] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec) 
[Wed Nov 02 12:04:32.052658 2016] [suexec:notice] [pid 11965] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)

Access Logs

Access logs generally provides http request related information and for busy site it will be generated a lot. Access log will provide following information about request or access attempts to our apache web server.

  • Client IP Address
  • Date and Time
  • Request URI
  • HTTP Status Code
  • Client Browser
$ less /var/log/httpd/access_log

192.168.122.1 - - [02/Nov/2016:10:39:51 +0000] "GET /owncloud HTTP/1.1" 301 229 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.
36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36" 
192.168.122.1 - - [02/Nov/2016:10:39:51 +0000] "GET /owncloud/ HTTP/1.1" 200 10986 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/5
37.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36" 
192.168.122.1 - - [02/Nov/2016:10:39:51 +0000] "GET /owncloud/core/css/styles.css?v=ba222ded25d957b900c03bef914333cd HTTP/1.1" 200 21
989 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36" 
192.168.122.1 - - [02/Nov/2016:10:39:51 +0000] "GET /owncloud/core/css/inputs.css?v=ba222ded25d957b900c03bef914333cd HTTP/1.1" 200 89
73 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36" 
192.168.122.1 - - [02/Nov/2016:10:39:51 +0000] "GET /owncloud/core/css/header.css?v=ba222ded25d957b900c03bef914333cd HTTP/1.1" 200 73
38 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36" 
192.168.122.1 - - [02/Nov/2016:10:39:51 +0000] "GET /owncloud/core/css/icons.css?v=ba222ded25d957b900c03bef914333cd HTTP/1.1" 200 801
8 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36" 
192.168.122.1 - - [02/Nov/2016:10:39:51 +0000] "GET /owncloud/core/css/fonts.css?v=ba222ded25d957b900c03bef914333cd HTTP/1.1" 200 728
 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36"

Search For Specific HTTP Status Errors

We can search like error log with grep.In this example we will search for HTTP Status 404 errors in the access_log file.

$ grep 404 /var/log/httpd/access_log   

192.168.122.1 - - [02/Nov/2016:10:40:44 +0000] "GET /owncloud/index.php/core/preview.png?file=%2FownCloud+Manual.pdf&c=d299b7320e9d9f
da4420ba86181ea2a5&x=32&y=32&forceIcon=0 HTTP/1.1" 404 - "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) 
Chrome/54.0.2840.71 Safari/537.36" 
192.168.122.1 - - [02/Nov/2016:10:41:13 +0000] "GET /owncloud/index.php/core/preview.png?file=%2FownCloud+Manual.pdf&c=d299b7320e9d9f
da4420ba86181ea2a5&x=32&y=32&forceIcon=0 HTTP/1.1" 404 - "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) 
Chrome/54.0.2840.71 Safari/537.36"

 

LEARN MORE  What Is Apache Kafka, Use Cases, Advantages and How To Install and Use Apache Kafka?

Apache Log Files Infografic

Apache Log Files Infografic
Apache Log Files Infografic

1 thought on “Apache Log Files”

  1. These apache logs are very helpful while detecting errors, attacks throughout the system. There are basically two types of Apache logs by default. To know more details, just go through the article.

    Reply

Leave a Comment