Apache Access Log Format

If you use the common log format for your Apache webserver log files, your log entries will look similar to those below: - - [02/Jun/2009:15:11:51 -0400] "GET /network/email/clients/outlook/using-scanost-repairs.php HTTP/1.1" 200 4898 - - [02/Jun/2009:15:11:52 -0400] "GET /images/mplogo-white.jpg HTTP/1.1" 200 9350 - - [02/Jun/2009:15:11:52 -0400] "GET /css/style.css HTTP/1.1" 200 2816

The common log format is usually defined in the Apache configuration file, httpd.conf as follows:

# The following directives define some format nicknames for use with
# a CustomLog directive (see below).
LogFormat "%h %l %u %t \"%r\" %>s %b" common

The LogFormat line above defines what entries will appear in the Apache access log when a browser access URLs on the website, whenever the common log format is used for the log for that website.

If you have the following line for a website in the virtualhost section of the httpd.conf file, then the common log format will be used for the log entries with the format specified above for it.

CustomLog /var/log/example.log common

The common log format has the following fields:

  1. %h - the IP address of the remote host accessing your server.
  2. %l - the remote logname, aka username, of the person accessing your website, if the ident protocol is being used to identify the remote user. In most cases, your webserver won't be able to identify the remote user, so you will see a "-" in thie field.
  3. %u - the userid of the person requesting the document as determined by HTTP authentication. The same value is typically provided to CGI scripts in the REMOTE_USER environment variable. If the status code for the request is 401, then this value should not be trusted because the user is not yet authenticated. If the document is not password protected, this entry will be "-" just like the previous one.
  4. %t - the time that the webserver finished processing the request will appear between "[" and "]", e.g. [02/Jun/2009:15:11:52 -0400]. The format is as follows:

    [day/month/year:hour:minute:second zone]
    day = 2*digit
    month = 3*letter
    year = 4*digit
    hour = 2*digit
    minute = 2*digit
    second = 2*digit
    zone = (`+' | `-') 4*digit

    The time zone is an offset from Greenwich Mean Time (GMT), which is also sometimes referred to as "Zulu time" or Coordinated Universal Time (UTC). E.g. -0400 is a time zone that has a time 4 hours less than GMT time. E.g., if it is 15:11:52 local time, i.e. almost 3:12 P.M., then it would be 19:11:52 GMT time. You can view time zone information at the The World Clock.

    It is possible to have the time displayed in another format by specifying %{format}t in the log format string, where format is as in strftime(3) from the C standard library.

  5. %r - next, within double quotes, is the request line from the web browser. E.g.

    "GET /images/mplogo-white.jpg HTTP/1.1"

    Contained between the double quotes are several useful pieces of information.

    1. First, the method used by the client appears, e.g. GET.
    2. Second, the URL requested, e.g. /images/mplogo-white.jpg.
    3. Third, the protocol used by the browser, e.g. HTTP/1.1.

    It is also possible to log one or more parts of the request line independently. For example, the format string "%m %U%q %H" will log the method, path, query-string, and protocol, resulting in exactly the same output as "%r".

  6. %>s - This is the status code that the server sends back to the client. This information is very valuable, because it reveals whether the request resulted in a successful response (codes beginning in 2), a redirection (codes beginning in 3), an error caused by the client (codes beginning in 4), or an error in the server (codes beginning in 5). The full list of possible status codes can be found in the HTTP specification (RFC2616 section 10).
  7. %b - the last entry indicates the size of the object in bytes returned to the client, not including the response headers. If no content was returned to the client, this value will be "-". To log "0" for no content, use %B instead.

If you would like to log the referer and the agent, which will reveal the browser used by visitors, then you can used the combined log format instead. You will likely see it defined in Apache's httpd.conf file as follows:

# The following directives define some format nicknames for use with
# a CustomLog directive (see below).
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined

To use it instead, for the log entry for the website, you could use the following:

CustomLog /var/log/example.log combined

I.e., you would put combined rather than common at the end of the line. You will then need to restart the Apache webserver software for the change to take affect, which you can do with apachectl restart.


  1. Gathering Visitor Information: Customising Your Logfiles
    First published: 7th February 1997
    Apache Week - The essential free resource for users of the world's most popular web server
  2. Log Files - Apache HTTP Server
    The Apache HTTP Server Project


TechRabbit ad 300x250 newegg.com

Justdeals Daily Electronics Deals1x1 px

Valid HTML 4.01 Transitional