Understanding the Apache Access Log Format

This article provides a brief introduction to the apache access log format.

Server Settings

OS version

[root@Webserver local]# cat /proc/version
Linux version 4.9.51-10.52.amzn1.x86_64 (mockbuild@gobi-build-64010) (gcc version 4.8.5 20150623 (Red Hat 4.8.5-11) (GCC) ) #1 SMP Fri Sep 29 01:16:19 UTC 2017

Apache version

[root@localhost]# httpd -v
Server version: Apache/2.4.27 (Amazon)

The apache configuration file isnormally in /etc/httpd/conf/httpd.conf, depending on the OS.

Output destination for Apache Access Log

The output destination of the access log is determined by "CustomLog".

[root@Webserver ~]# less /etc/httpd/conf/httpd.conf
CustomLog "logs/access_log" combined

CustomLog is written in a relative path in the default configuration.

This relative path is represented as the item "ServerRoot".

"ServerRoot" setting is also described in the same file.

[root@Webserver ~]# less /etc/httpd/conf/httpd.conf
ServerRoot "/etc/httpd"

So in this example, the location of CustomLog is /etc/httpd/logs/acces_log since it is written as "ServerRoot/logs/access_log".

[root@Webserver ~]# ls -l /etc/httpd/
total 12
drwxr-xr-x 2 root root 4096 Oct 27 13:36 conf
drwxr-xr-x 2 root root 4096 Oct 27 13:36 conf.d
drwxr-xr-x 2 root root 4096 Oct 27 13:36 conf.modules.d
lrwxrwxrwx 1 root root   14 Oct 27 13:36 logs -> /var/log/httpd
lrwxrwxrwx 1 root root   24 Oct 27 13:36 modules -> /usr/lib64/httpd/modules
lrwxrwxrwx 1 root root   14 Oct 27 13:36 run -> /var/run/httpd

As you can see, "/etc/httpd/logs/" has been replaced by "/var/log/httpd". This means the location of the access log is "/var/log/httpd/access_log".

[root@Webserver ~]# ls -l /var/log/httpd
total 8
-rw-r--r-- 1 root root 1285 Oct 27 13:44 access_log
-rw-r--r-- 1 root root 1832 Oct 27 15:02 error_log

Apache Access Log Format

The format of the apache access log is determined by the LogFormat section in /etc/httpd/conf/httpd.conf.

[root@Webserver ~]# less /etc/httpd/conf/httpd.conf
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common

Please refer to the official apache documentation below for details on custom log formats.

The last part of the LogFormat that says "combined," "common," etc. is called the nickname.

The CustomLog, which is introduced earlier, also has a nickname written on it.

The same LogFormat format with the same nickname is output to the access log.

CustomLog "logs/access_log"combined
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common

CustomLog outputs the access log in the upper LogFormat format since their nickname are both "combined".

The actual access log in the format where the nickname is "combined" looks like below.

[root@Webserver ~]# less /var/log/httpd/access_log
XXX.XXX.XXX.XXX - - [27/Oct/2017:04:44:01 +0000] "GET / HTTP/1.1" 403 4891 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36"

Next, edit the descriptions of CustomLog and LogFormat in /etc/httpd/conf/httpd.conf to see the access log.

[root@Webserver ~]# vi /etc/httpd/conf/httpd.conf
#LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
#LogFormat "%h %l %u %t \"%r\" %>s %b" common
LogFormat "%h %l %u %t" test
#CustomLog "logs/access_log" combined
CustomLog "logs/access_log" test

Let's take a look at the access log with a configuration in which the %t and after are deleted from the LogFormat, and the nickname is set to test.

The output would be like the below.

[root@Webserver ~]# less /var/log/httpd/access_log
200.XXX.XXX.20 - - [27/Oct/2017:05:05:36 +0000]

As we set the format before, it would only display until %t, "the time when the request was received".

This blog post is translated from a blog post written by Kenta Miyazaki on our Japanese website Beyond Co.