Web server logs provide a lot of information about the web application and user. Apache is a very popular web server used by millions of web sites. Apache provides different types of logs like access , error etc. In this tutorial, we will look at how Apache Access Log configured and try to understand log format.
Apache Access Log
Apache Access Log provides information about access to the Apache webserver. When someone visits the web site or open web application through the browser Apache web server will create some log about the request.
Apache Access Log Location
Apache Access Log is stored by default in the following directories. The access log can be opened with a simple text editor like kwrite, gedit, etc. or simply cat in the command line.
Ubuntu, Debian,Mint:
/var/log/apache2/access.log
CentOS, Fedora, RedHat:
/var/log/httpd/access.log
We can open the Apache Access log with the less command in Ubuntu operating system like below.
$ less /var/log/apache/access.log
List Access Log Files
Writing access log into a single file in all time is not a feasible way. In a standard web server over time there will be a lot of access log files where they are named in a structured way. We can list access log files with the ls command like below.
$ ls -lh /var/log/apache2/access.*
The old access log file names are added 1 to the end of file names and after 2 last recent access log files older ones will be compressed in order to save space. By default, gzip or gz compression is used and the compressed files are named like access.log.2.gz in order to express it is compressed with gzip.
Read Compressed Access Log
Over time there will be a lot of access log where most of them will be compressed with different compression algorithms like gzip, bzip, etc. We may need to read these compressed access log files in a hurry and a practical way. We can read these compressed access logs without decompressing or extracting with the zless command like below.
$ zless /var/log/apache2/access.log.2.gzSearch, Filter and Grep Compressed Access Log
If we need more than reading a compressed access log file we can use other tools like zgrep which will grep a gzip compressed file. In this example, we will filter or grep WebDAV in our compressed log file named access.log.2.gz.
$ zgrep WebDAV /var/log/apache2/access.log.2.gz
We can also search and filter in all compressed files with single command execution. We will use glob * in order to specify all given compressed access logs like below. In this example, we will search for Nmap in compressed access log files.
$ zgrep Nmap /var/log/apache2/access.log.*.gz
Apache Access Log Formatting
Apache Access Log provides a lot of useful information about the request and responses to those requests. Apache configuration uses directiveLogFormat to define access log format. The default log format is like below.
LogFormat "%h %l %u %t \"%r\" %>s %b" common
Here are the meanings of shortcuts.
%hIP address of the client%lif exist identity of the client%uuserid of the client if the user is authenticated%tdate time the request has arrived\"%r\"is the HTTP method the client requested which includes the HTTP verb the URI and HTTP version%>sis the response code the server sends back to the client%bthe size of the object returned to the client
Here is an example log for Apache access
127.0.0.1 - - [16/Aug/2017:07:03:45 +0300] "GET / HTTP/1.0" 200 11192 "-" "check_http/v2.2 (monitoring-plugins 2.2)"
Non-existing columns will be presented with - .
List Current Access Log Formatting
The access Log format is defined in /etc/apache2/apache2.conf Ubuntu, Debian or /etc/httpd/httpd.conf in CentOS or RedHat systems. We can list the current directiveLogFormat with the following command.
$ cat /etc/apache2/apache2.conf | grep Log
Interactively Reading Apache Access Log
System administrators generally need to read Apache access log interactively in order to troubleshoot. We can use tailthe command in order to see Apace access log in real time. We will use the following command. We assume access.log resides in /var/log/apache2/access.log
$ tail -f /var/log/apache2/access.log