Understanding and Configuring Apache Access Log – POFTUT

Understanding and Configuring Apache Access Log

Web servers logs provide a lot of information about the web application and user. Apache is a very popular web server used by millions of web sites. Apache provides different types of logs like access , error etc. In this tutorial, we will look at how Apache Access Log configured and try to understand log format.

Apache Access Log

Apache Access Log provides information about access to the Apache web server. When someone visits the web site or open web application through the browser Apache web server will create some log about the request.

Apache Access Log Location

Apache Access Log is stored by default in the following directories. Access log can be opened with a simple text editor like kwrite, gedit etc. or simply cat in the command line.

Ubuntu, Debian,Mint:

/var/log/apache2/access.log

CentOS, Fedora, RedHat:

/var/log/httpd/access.log

We can open the Apache Access log with the less command in Ubuntu operating system like below.

Apache Access Log Location

Apache Access Log Location

List Access Log Files

Writing access log into a single file in all time is not a feasible way. In a standard web server over time there will be a lot of access log files where they are named in a structured way. We can list access log files with the ls command like below.

List Access Log Files

List Access Log Files

The old access log file names are added 1 to the end of file names and after 2 last recent access log files older ones will be compressed in order to save space. By default gzip or gz compression is used and the compressed files are named like access.log.2.gz in order to expressed it is compressed with gzip.

Read Compressed Access Log

Over time there will be a lot of access log where most of them will be compressed with different compression algorithms like gzip, bzip etc. We may need to read these compressed access log files in a hurry and practical way. We can read these compressed access logs without decompressing or extracting with the  zless command like below.

Search, Filter and Grep Compressed Access Log

If we need more than reading a compressed access log file we can use other tools like zgrep which will grep a gzip compressed file. In this example, we will filter or grep  WebDAV in our compressed log file named  access.log.2.gz.

Search, Filter and Grep Compressed Access Log

Search, Filter and Grep Compressed Access Log

We can also search and filter in all compressed files with a single command execution. We will use glob * in order to specify all given compressed access logs like below. In this example we will search for Nmap in compressed access log files.

Search, Filter and Grep Compressed Access Log

Search, Filter and Grep Compressed Access Log

Apache Access Log Formatting

Apache Access Log provides a lot of useful information about the request and responses to those requests. Apache configuration uses directiveLogFormat to define access log format. The default log format is like below.

Here are the meanings of shortcuts.

  • %h IP address of the client
  • %l if exist identity of the client
  • %u userid of the client if the user is authenticated
  • %t date time the request has arrived
  • \"%r\" is the HTTP method the client requested which includes the HTTP verb the URI and HTTP version
  • %>s is the response code the server sends back to the client
  • %b the size of the object returned to the client

Here is an example log for Apache access

Non-existing columns will be presented with - .

List Current Access Log Formatting

The access Log format is defined in /etc/apache2/apache2.conf Ubuntu, Debian or /etc/httpd/httpd.conf in CentOS or RedHat systems. We can list the current directiveLogFormat with the following command.

List Current Access Log Formatting

List Current Access Log Formatting

Interactively Reading Apache Access Log

System administrators generally need to read Apache access log interactively in order to troubleshoot. We can use tailthe command in order to see Apace access log in real time. We will use the following command. We assume access.log resides in /var/log/apache2/access.log

Leave a Reply

Your email address will not be published. Required fields are marked *

Enjoy this blog? Please spread the word :)