Defining Log Formats
Apache log files conform to the Common Log Format (CLF). CLF is a standard used by all web server vendors. Using this format means that the logs generated by Apache servers can be processed by any log-analysis tool that also conforms to the standard, and most do. The format of a standard CLF entry is defined by the following LogFormat directive from our sample httpd.conf file:
LogFormat "%h %l %u %t \"%r\" %>s %b" common
A CLF entry contains seven fields, each represented by a parameter in the LogFormat directive:
%h Logs the IP address or hostname of the client. If HostnameLookups is set to on, this is the client's fully qualified hostname. On the sample Red Hat system, this would be the IP address because HostnameLookups is turned off to enhance server performance.
%l Logs the username assigned to the user on the client. The username is retrieved using the identd protocol. Most clients do not run identd, and thus do not provide this information, so this field usually contains a hyphen to indicate a missing value.
%u Logs the username used to access a password protected web page. This should match a name defined in the AuthUser file or the AuthDBMUser database you created for the server. Most documents are not password-protected; therefore, in most log entries, this field contains a hyphen.
%t Logs the date and time.
%r Logs the first line of the request, which is often the URL of the requested document. The \" characters are just there to insert quotes in the output.
%>s Logs the status of the last request. This is the three-digit response code that the server returned to the client. (More on response codes in a minute.) The > is a literal character that will appear in the log file in front of the response code.
%b Logs the number of bytes sent.
The format of the LogFormat directive is enclosed in quotes. The label "common" is not part of the format. It is an arbitrary string used to tie the LogFormat directive to a CustomLog directive. In the default Red Hat configuration, this particular LogFormat directive is not used by a CustomLog directive. Instead, the Red Hat configuration uses the following "combined" LogFormat.
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" A\"%{User-Agent}i\"" combined
Notice that this LogFormat starts with the same seven parameters as the "common" format to which it adds more information. Apache logs can be customized to log just the information you want to track.
In addition to the standard CLF fields, Apache can log the contents of any header records received or sent. For example, to log the value received from the client in the User-agent header, add the following to a LogFormat directive:
%{User-agent)i
This works for any header. Simply replace User-agent with the name of the header. The i indicates this is an input header. To log an output header, use an o at the end of the description.
The "combined" LogFormat used on our sample Red Hat system logs everything in the CLF plus the contents of the input User-agent and Referer headers. The User-agent header contains the name of the browser used by the client. The Referer header contains the name of the remote server that linked to your web page.
In this tutorial:
- Apache Web Server
- Installing Apache
- Running httpd
- Configuring the Apache Server
- The httpd.conf File
- Loading Dynamic Shared Objects
- Basic Server Directives
- Multi-Homed Server Configuration
- Defining Where Things Are Stored
- Creating a Fancy Index
- Defining File Types
- Managing Child Processes
- Performance Tuning Directives
- Caching Directives
- Defining Virtual Hosts
- Web Server Security
- The CGI and SSI Threat
- Server Options for Documents and Directories
- Directory-Level Configuration Controls
- Defining Access Controls
- Requiring User Authentication
- High-Performance User Authentication
- Configuring SSL
- Managing Your Web Server
- Monitoring Your Server
- Apache Logging
- Defining Log Formats
- Using Conditional Logging