If you use the common log format for your Apache webserver log files, your log entries will look similar to those below:
80.101.90.180 - - [02/Jun/2009:15:11:51 -0400] "GET /network/email/clients/outlook/using-scanost-repairs.php HTTP/1.1" 200 4898
80.101.90.180 - - [02/Jun/2009:15:11:52 -0400] "GET /images/mplogo-white.jpg HTTP/1.1" 200 9350
80.101.90.180 - - [02/Jun/2009:15:11:52 -0400] "GET /css/style.css HTTP/1.1" 200
2816
The common log format is usually defined in the Apache configuration file,
httpd.conf as follows:
#
# The following directives define some format nicknames for use with
# a CustomLog directive (see below).
#
LogFormat "%h %l %u %t \"%r\" %>s %b" common
The LogFormat line above defines what entries will appear
in the Apache access log when a browser access URLs on the website, whenever
the common log format is used for the log for that website.
If you have the following line for a website in the virtualhost section
of the httpd.conf file, then the common log format will be used
for the log entries with the format specified above for it.
CustomLog /var/log/example.log common
The common log format has the following fields:
%h - the IP address of the remote host accessing your server.
%l - the remote logname, aka username, of the person
accessing your website, if the
ident protocol is being
used to identify the remote user. In most cases, your webserver won't
be able to identify the remote user, so you will see a "-" in thie field.%u - the userid of the person requesting the document as
determined by HTTP authentication. The same value is typically provided to CGI
scripts in the REMOTE_USER environment variable. If the status code for the
request is 401, then this value should not be trusted because the user is not
yet authenticated. If the document is not password protected, this entry will
be "-" just like the previous one.%t - the time that the webserver finished processing the
request will appear between "[" and "]", e.g.
[02/Jun/2009:15:11:52 -0400]. The format is as follows:
[day/month/year:hour:minute:second zone]
day = 2*digit
month = 3*letter
year = 4*digit
hour = 2*digit
minute = 2*digit
second = 2*digit
zone = (`+' | `-') 4*digit
The time zone is an offset from
Greenwich Mean Time (GMT), which is also sometimes referred to as "Zulu
time" or
Coordinated Universal Time (UTC). E.g. -0400 is a time
zone that has a time 4 hours less than GMT time. E.g., if it is 15:11:52
local time, i.e. almost 3:12 P.M., then it would be
19:11:52 GMT time. You can view time zone
information at the The
World Clock.
It is possible to have the time displayed in another format
by specifying %{format}t in the log format
string, where format is as in
strftime(3) from the C standard library.
%r - next, within double quotes, is the request line from the
web browser. E.g."GET /images/mplogo-white.jpg HTTP/1.1"
Contained between the double quotes are several useful pieces of information.
/images/mplogo-white.jpg.HTTP/1.1.It is also possible to log one or more parts of the request line independently. For example, the format string "%m %U%q %H" will log the method, path, query-string, and protocol, resulting in exactly the same output as "%r".
%>s - This is the status code that the server sends
back to the client. This information is very valuable, because it reveals
whether the request resulted in a successful response (codes beginning in
2), a redirection (codes beginning in 3), an error caused by the client
(codes beginning in 4), or an error in the server (codes beginning in
5). The full list of possible status codes can be found in the
HTTP
specification (RFC2616 section 10).%b - the last entry indicates the size of the object
in bytes returned to the client, not including the response headers. If no
content was returned to the client, this value will be "-". To log "0" for no
content, use %B instead.If you would like to log the referer and the agent, which will reveal
the browser used by visitors, then you can used the combined log format
instead. You will likely see it defined in Apache's httpd.conf
file as follows:
#
# The following directives define some format nicknames for use with
# a CustomLog directive (see below).
#
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
To use it instead, for the log entry for the website, you could use the following:
CustomLog /var/log/example.log combined
I.e., you would put combined rather than common
at the end of the line. You will then need to restart the Apache webserver
software for the change to take affect, which you can do with
apachectl restart.
References:
