Understanding and Configuring Apache Access Log – POFTUT

Understanding and Configuring Apache Access Log


Web server logs provide a lot of information about the web application and user. Apache is a very popular web server used by millions of web sites. Apache provides different types of logs like access , error etc. In this tutorial, we will look at how Apache Access Log configured and try to understand log format.

Apache Access Log

Apache Access Log provides information about access to the Apache webserver. When someone visits the web site or open web application through the browser Apache web server will create some log about the request.

Apache Access Log Location

Apache Access Log is stored by default in the following directories. The access log can be opened with a simple text editor like kwrite, gedit, etc. or simply cat in the command line.

Ubuntu, Debian,Mint:

/var/log/apache2/access.log

CentOS, Fedora, RedHat:

/var/log/httpd/access.log

We can open the Apache Access log with the less command in Ubuntu operating system like below.

$ less /var/log/apache/access.log
Apache Access Log Location
Apache Access Log Location

List Access Log Files

Writing access log into a single file in all time is not a feasible way. In a standard web server over time there will be a lot of access log files where they are named in a structured way. We can list access log files with the ls command like below.

$ ls -lh /var/log/apache2/access.*
List Access Log Files
List Access Log Files

The old access log file names are added 1 to the end of file names and after 2 last recent access log files older ones will be compressed in order to save space. By default, gzip or gz compression is used and the compressed files are named like access.log.2.gz in order to express it is compressed with gzip.

LEARN MORE  Netcat (nc) Command Tutorial With Examples

Read Compressed Access Log

Over time there will be a lot of access log where most of them will be compressed with different compression algorithms like gzip, bzip, etc. We may need to read these compressed access log files in a hurry and a practical way. We can read these compressed access logs without decompressing or extracting with the  zless command like below.

$ zless /var/log/apache2/access.log.2.gz

Search, Filter and Grep Compressed Access Log

If we need more than reading a compressed access log file we can use other tools like zgrep which will grep a gzip compressed file. In this example, we will filter or grep  WebDAV in our compressed log file named  access.log.2.gz.

$ zgrep WebDAV /var/log/apache2/access.log.2.gz
Search, Filter and Grep Compressed Access Log
Search, Filter and Grep Compressed Access Log

We can also search and filter in all compressed files with single command execution. We will use glob * in order to specify all given compressed access logs like below. In this example, we will search for Nmap in compressed access log files.

$ zgrep Nmap /var/log/apache2/access.log.*.gz
Search, Filter and Grep Compressed Access Log
Search, Filter and Grep Compressed Access Log

Apache Access Log Formatting

Apache Access Log provides a lot of useful information about the request and responses to those requests. Apache configuration uses directiveLogFormat to define access log format. The default log format is like below.

LogFormat "%h %l %u %t \"%r\" %>s %b" common

Here are the meanings of shortcuts.

  • %h IP address of the client
  • %l if exist identity of the client
  • %u userid of the client if the user is authenticated
  • %t date time the request has arrived
  • \"%r\" is the HTTP method the client requested which includes the HTTP verb the URI and HTTP version
  • %>s is the response code the server sends back to the client
  • %b the size of the object returned to the client
LEARN MORE  Apache Log Files

Here is an example log for Apache access

127.0.0.1 - - [16/Aug/2017:07:03:45 +0300] "GET / HTTP/1.0" 200 11192 "-" "check_http/v2.2 (monitoring-plugins 2.2)"

Non-existing columns will be presented with - .

List Current Access Log Formatting

The access Log format is defined in /etc/apache2/apache2.conf Ubuntu, Debian or /etc/httpd/httpd.conf in CentOS or RedHat systems. We can list the current directiveLogFormat with the following command.

$ cat /etc/apache2/apache2.conf | grep Log
List Current Access Log Formatting
List Current Access Log Formatting

Interactively Reading Apache Access Log

System administrators generally need to read Apache access log interactively in order to troubleshoot. We can use tailthe command in order to see Apace access log in real time. We will use the following command. We assume access.log resides in /var/log/apache2/access.log

$ tail -f /var/log/apache2/access.log

Leave a Comment