[Osaka/Yokohama/Tokushima] Looking for infrastructure/server side engineers!

[Osaka/Yokohama/Tokushima] Looking for infrastructure/server side engineers!

[Deployed by over 500 companies] AWS construction, operation, maintenance, and monitoring services

[Deployed by over 500 companies] AWS construction, operation, maintenance, and monitoring services

[Successor to CentOS] AlmaLinux OS server construction/migration service

[Successor to CentOS] AlmaLinux OS server construction/migration service

[For WordPress only] Cloud server “Web Speed”

[For WordPress only] Cloud server “Web Speed”

[Cheap] Website security automatic diagnosis “Quick Scanner”

[Cheap] Website security automatic diagnosis “Quick Scanner”

[Reservation system development] EDISONE customization development service

[Reservation system development] EDISONE customization development service

[Registration of 100 URLs is 0 yen] Website monitoring service “Appmill”

[Registration of 100 URLs is 0 yen] Website monitoring service “Appmill”

[Compatible with over 200 countries] Global eSIM “Beyond SIM”

[Compatible with over 200 countries] Global eSIM “Beyond SIM”

[If you are traveling, business trip, or stationed in China] Chinese SIM service “Choco SIM”

[If you are traveling, business trip, or stationed in China] Chinese SIM service “Choco SIM”

[Global exclusive service] Beyond's MSP in North America and China

[Global exclusive service] Beyond's MSP in North America and China

[YouTube] Beyond official channel “Biyomaru Channel”

[YouTube] Beyond official channel “Biyomaru Channel”

[Apache] Understanding access log format settings

Image of multilingual reservation system “EDISONE”

Hello.

This is Miyazaki from the System Solutions Department.

In this article, I would like to briefly introduce the formatting of apache access logs.

server settings

OS version

[root@Webserver local]# cat /proc/version Linux version 4.9.51-10.52.amzn1.x86_64 (mockbuild@gobi-build-64010) (gcc version 4.8.5 20150623 (Red Hat 4.8.5-11) (GCC ) ) #1 SMP Fri Sep 29 01:16:19 UTC 2017

apache version

[root@localhost]# httpd -v Server version: Apache/2.4.27 (Amazon)

The apache configuration file is written in /etc/httpd/conf/httpd.conf, depending on the OS.

Apache access log output destination

The output destination of the access log is determined by CustomLog.

[root@Webserver ~]# less /etc/httpd/conf/httpd.conf CustomLog "logs/access_log" combined

CustomLog is written with a relative path by default.
This relative path is represented by the relative path of the item "ServerRoot".

The "ServerRoot" setting is also written in this httpd.conf file.

[root@Webserver ~]# less /etc/httpd/conf/httpd.conf ServerRoot "/etc/httpd"

In other words, the position of CustomLog is

Since ServerRoot/logs/access_log
is /etc/httpd/logs/acces_log.

[root@Webserver ~]# ls -l /etc/httpd/ total 12 drwxr-xr-x 2 root root 4096 Oct 27 13:36 conf drwxr-xr-x 2 root root 4096 Oct 27 13:36 conf.d drwxr -xr-x 2 root root 4096 Oct 27 13:36 conf.modules.d lrwxrwxrwx 1 root root 14 Oct 27 13:36 logs -> /var/log/httpd lrwxrwxrwx 1 root root 24 Oct 27 13:36 modules -> /usr/lib64/httpd/modules lrwxrwxrwx 1 root root 14 Oct 27 13:36 run -> /var/run/httpd

/etc/httpd/logs/ has been replaced with /var/log/httpd.
This means that the access log will be located at /var/log/httpd/access_log.

[root@Webserver ~]# ls -l /var/log/httpd total 8 -rw-r--r-- 1 root root 1285 Oct 27 13:44 access_log -rw-r--r-- 1 root root 1832 Oct 27 15:02 error_log

apache access log format

The format of the apach access log is determined by the LogFormat part in /etc/httpd/conf/httpd.conf.

[root@Webserver ~]# less /etc/httpd/conf/httpd.conf LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \" %{User-Agent}i\"" combined LogFormat "%h %l %u %t \"%r\" %>s %b" common

For details on the custom log format, please check the apache official document below.
http://httpd.apache.org/docs/2.4/mod/mod_log_config.html#formats

The last part of LogFormat that says "combined" or "common" is called a nickname.

A nickname is also written in CustomLog, which is the access log output destination introduced earlier, and
the LogFormat format with the same nickname is output to the access log.

CustomLog "logs/access_log" combined

This CustomLog has a nickname combined, so

LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined LogFormat "%h %l % u %t \"%r\" %>s %b" common

Outputs the access log in the LogFormat format above.

In fact, the access log in the format where nickname is combined looks like this:

[root@Webserver ~]# less /var/log/httpd/access_log XXX.XXX.XXX.XXX - - [27/Oct/2017:04:44:01 +0000] "GET / HTTP/1.1" 403 4891 " -" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36"

Next, let's edit the CustomLog and LogFormat descriptions in /etc/httpd/conf/httpd.conf and look at the access log.

[root@Webserver ~]# vi /etc/httpd/conf/httpd.conf #LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \ "%{User-Agent}i\"" combined #LogFormat "%h %l %u %t \"%r\" %>s %b" common LogFormat "%h %l %u %t" test #CustomLog "logs/access_log" combined CustomLog "logs/access_log" test

After deleting %t in LogFormat, let's look at the access log with the nickname set to test.
What will be the output?

[root@Webserver ~]# less /var/log/httpd/access_log 200.XXX.XXX.20 - - [27/Oct/2017:05:05:36 +0000]

As per the LogFormat format, up to %t "time when the request was received" is displayed.

summary

I looked into the formatting of accesslog, which I was wondering about myself.
when I actually edited httpd.conf, changed the displayed items, and
checked the access log.

That's it.

If you found this article helpful , please give it a like!
2
Loading...
2 votes, average: 1.00 / 12
21,860
X facebook Hatena Bookmark pocket
[2025.6.30 Amazon Linux 2 support ended] Amazon Linux server migration solution

[2025.6.30 Amazon Linux 2 support ended] Amazon Linux server migration solution

[Osaka/Yokohama] Actively recruiting infrastructure engineers and server side engineers!

[Osaka/Yokohama] Actively recruiting infrastructure engineers and server side engineers!

The person who wrote this article

About the author

Kenta Miyazaki

I joined Beyond in 2017 as a new graduate.

We provide 24-hour, 365-day operation, maintenance, and monitoring services for servers and clouds used by companies that primarily provide web-based services.
I belong to the System Solutions Department, and my job is to improve Beyond's operations so that our customers can focus on their business.

Certifications: AWS Certified Solutions Architect, GCP Professional Cloud Architect, Linuc1