[Osaka/Yokohama/Tokushima] Looking for infrastructure/server side engineers!

[Deployed by over 500 companies] AWS construction, operation, maintenance, and monitoring services

[Successor to CentOS] AlmaLinux OS server construction/migration service

[For WordPress only] Cloud server “Web Speed”

[Apache] Understanding access log format settings

2017.12.24

Server construction/operation

table of contents [非表示]

1 server settings
2 Apache access log output destination
3 apache access log format
4 summary

Hello.

This is Miyazaki from the System Solutions Department.

In this article, I would like to briefly introduce the formatting of apache access logs.

server settings

OS version

[root@Webserver local]# cat /proc/version Linux version 4.9.51-10.52.amzn1.x86_64 (mockbuild@gobi-build-64010) (gcc version 4.8.5 20150623 (Red Hat 4.8.5-11) (GCC ) ) #1 SMP Fri Sep 29 01:16:19 UTC 2017

apache version

1	`[root@localhost]# httpd -v Server version: Apache/2.4.27 (Amazon)`

The apache configuration file is written in /etc/httpd/conf/httpd.conf, depending on the OS.

Apache access log output destination

The output destination of the access log is determined by CustomLog.

[root@Webserver ~]# less /etc/httpd/conf/httpd.conf CustomLog "logs/access_log" combined

CustomLog is written with a relative path by default.
This relative path is represented by the relative path of the item "ServerRoot".

The "ServerRoot" setting is also written in this httpd.conf file.

1	`[root@Webserver ~]# less /etc/httpd/conf/httpd.conf ServerRoot "/etc/httpd"`

In other words, the position of CustomLog is

Since ServerRoot/logs/access_log
is /etc/httpd/logs/acces_log.

[root@Webserver ~]# ls -l /etc/httpd/ total 12 drwxr-xr-x 2 root root 4096 Oct 27 13:36 conf drwxr-xr-x 2 root root 4096 Oct 27 13:36 conf.d drwxr -xr-x 2 root root 4096 Oct 27 13:36 conf.modules.d lrwxrwxrwx 1 root root 14 Oct 27 13:36 logs -> /var/log/httpd lrwxrwxrwx 1 root root 24 Oct 27 13:36 modules -> /usr/lib64/httpd/modules lrwxrwxrwx 1 root root 14 Oct 27 13:36 run -> /var/run/httpd

/etc/httpd/logs/ has been replaced with /var/log/httpd.
This means that the access log will be located at /var/log/httpd/access_log.

[root@Webserver ~]# ls -l /var/log/httpd total 8 -rw-r--r-- 1 root root 1285 Oct 27 13:44 access_log -rw-r--r-- 1 root root 1832 Oct 27 15:02 error_log

apache access log format

The format of the apach access log is determined by the LogFormat part in /etc/httpd/conf/httpd.conf.

[root@Webserver ~]# less /etc/httpd/conf/httpd.conf LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \" %{User-Agent}i\"" combined LogFormat "%h %l %u %t \"%r\" %>s %b" common

For details on the custom log format, please check the apache official document below.
http://httpd.apache.org/docs/2.4/mod/mod_log_config.html#formats

The last part of LogFormat that says "combined" or "common" is called a nickname.

A nickname is also written in CustomLog, which is the access log output destination introduced earlier, and
the LogFormat format with the same nickname is output to the access log.

1	`CustomLog` `"logs/access_log"` `combined`

This CustomLog has a nickname combined, so

LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined LogFormat "%h %l % u %t \"%r\" %>s %b" common

Outputs the access log in the LogFormat format above.

In fact, the access log in the format where nickname is combined looks like this:

[root@Webserver ~]# less /var/log/httpd/access_log XXX.XXX.XXX.XXX - - [27/Oct/2017:04:44:01 +0000] "GET / HTTP/1.1" 403 4891 " -" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36"

Next, let's edit the CustomLog and LogFormat descriptions in /etc/httpd/conf/httpd.conf and look at the access log.

[root@Webserver ~]# vi /etc/httpd/conf/httpd.conf #LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \ "%{User-Agent}i\"" combined #LogFormat "%h %l %u %t \"%r\" %>s %b" common LogFormat "%h %l %u %t" test #CustomLog "logs/access_log" combined CustomLog "logs/access_log" test

After deleting %t in LogFormat, let's look at the access log with the nickname set to test.
What will be the output?

[root@Webserver ~]# less /var/log/httpd/access_log 200.XXX.XXX.20 - - [27/Oct/2017:05:05:36 +0000]

As per the LogFormat format, up to %t "time when the request was received" is displayed.

summary

I looked into the formatting of accesslog, which I was wondering about myself.
when I actually edited httpd.conf, changed the displayed items, and
checked the access log.

That's it.

If you found this article helpful , please give it a like!

[2026.6.30 Amazon Linux 2 end of support] Amazon Linux server migration solution

The person who wrote this article

About the author

Kenta Miyazaki

I joined Beyond in 2017 as a new graduate.

We provide 24-hour, 365-day operation, maintenance, and monitoring services for servers and clouds used by companies that primarily provide web-based services.
I belong to the System Solutions Department, and my job is to improve Beyond's operations so that our customers can focus on their business.

Certifications: AWS Certified Solutions Architect, GCP Professional Cloud Architect, Linuc1

You can try and use regular expressions! Introducing RegExr How to delete commented parts with Simple HTML DOM Parser