Apache or with real name httpd provides logs. These logs are very helpful while detecting errors, attacks. There is two type of Apache logs by default. Log resides in following directories.
Log Path
Apache logs are stored in different paths because of name difference for different distributions. DEB
or apt family uses the name apache2
and stores logs as apache2
but the RPM
yum family uses the name httpd
and stores logs in the httpd
directory.
/var/log/httpd/
- CentOS
- Redhat
- Fedora
/var/log/apache2/
- Ubuntu
- Debian
- Kali
Getting Log Files Directory
Log file directory can be changed with Apache configuration. Look in to configuration file to exact log path
Ubuntu,Debian,Kali
$ grep -r ErrorLog /etc/apache2
CentOS,Fedora, Red Hat
$ grep -r ErrorLog /etc/httpd
Error Logs
Error logs are generally related with service and http request errors. For different distributions different paths exists but generally similar paths are used.
We can read error logs like below. We use less to read.
$ less /var/log/httpd/error_log [Wed Nov 02 10:39:21.845702 2016] [suexec:notice] [pid 11753] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec) AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 192.168.122.179. Set the 'ServerName' di rective globally to suppress this message [Wed Nov 02 10:39:21.863409 2016] [auth_digest:notice] [pid 11753] AH01757: generating secret for digest authentication ... [Wed Nov 02 10:39:21.863914 2016] [lbmethod_heartbeat:notice] [pid 11753] AH02282: No slotmem from mod_heartmonitor [Wed Nov 02 10:39:21.965402 2016] [mpm_prefork:notice] [pid 11753] AH00163: Apache/2.4.6 (CentOS) PHP/5.4.16 configured -- resuming n ormal operations [Wed Nov 02 10:39:21.965427 2016] [core:notice] [pid 11753] AH00094: Command line: '/usr/sbin/httpd -D FOREGROUND'
We can also search error file with grep
$ grep suexec /var/log/httpd/error_log [Wed Nov 02 10:39:21.845702 2016] [suexec:notice] [pid 11753] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec) [Wed Nov 02 12:02:22.495005 2016] [suexec:notice] [pid 11947] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec) [Wed Nov 02 12:04:32.052658 2016] [suexec:notice] [pid 11965] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
Access Logs
Access logs generally provides http request related information and for busy site it will be generated a lot. Access log will provide following information about request or access attempts to our apache web server.
- Client IP Address
- Date and Time
- Request URI
- HTTP Status Code
- Client Browser
$ less /var/log/httpd/access_log 192.168.122.1 - - [02/Nov/2016:10:39:51 +0000] "GET /owncloud HTTP/1.1" 301 229 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537. 36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36" 192.168.122.1 - - [02/Nov/2016:10:39:51 +0000] "GET /owncloud/ HTTP/1.1" 200 10986 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/5 37.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36" 192.168.122.1 - - [02/Nov/2016:10:39:51 +0000] "GET /owncloud/core/css/styles.css?v=ba222ded25d957b900c03bef914333cd HTTP/1.1" 200 21 989 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36" 192.168.122.1 - - [02/Nov/2016:10:39:51 +0000] "GET /owncloud/core/css/inputs.css?v=ba222ded25d957b900c03bef914333cd HTTP/1.1" 200 89 73 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36" 192.168.122.1 - - [02/Nov/2016:10:39:51 +0000] "GET /owncloud/core/css/header.css?v=ba222ded25d957b900c03bef914333cd HTTP/1.1" 200 73 38 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36" 192.168.122.1 - - [02/Nov/2016:10:39:51 +0000] "GET /owncloud/core/css/icons.css?v=ba222ded25d957b900c03bef914333cd HTTP/1.1" 200 801 8 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36" 192.168.122.1 - - [02/Nov/2016:10:39:51 +0000] "GET /owncloud/core/css/fonts.css?v=ba222ded25d957b900c03bef914333cd HTTP/1.1" 200 728 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36"
Search For Specific HTTP Status Errors
We can search like error log with grep.In this example we will search for HTTP Status 404 errors in the access_log
file.
$ grep 404 /var/log/httpd/access_log 192.168.122.1 - - [02/Nov/2016:10:40:44 +0000] "GET /owncloud/index.php/core/preview.png?file=%2FownCloud+Manual.pdf&c=d299b7320e9d9f da4420ba86181ea2a5&x=32&y=32&forceIcon=0 HTTP/1.1" 404 - "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36" 192.168.122.1 - - [02/Nov/2016:10:41:13 +0000] "GET /owncloud/index.php/core/preview.png?file=%2FownCloud+Manual.pdf&c=d299b7320e9d9f da4420ba86181ea2a5&x=32&y=32&forceIcon=0 HTTP/1.1" 404 - "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36"
Apache Log Files Infografic

These apache logs are very helpful while detecting errors, attacks throughout the system. There are basically two types of Apache logs by default. To know more details, just go through the article.