[Apache] A simple guide to reading access logs! *Updated February 2025

Hello!
I'm Inoue, a Persian cat from Beyond Co., Ltd.'s Shikoku office.

As an infrastructure engineer, I frequently look at access logs while troubleshooting daily.
In this article, I will provide a simple explanation of how to read Apache access logs.

Click here to learn how to read Nginx access logs, which are often compared to Apache.

What is an access log?

An access log is a history of connections to a server and records information such as the date and time, the IP address of the access source, the requested page, and the browser and device used.

One example of how we infrastructure engineers use access logs is to respond to alerts

Check the access log of the server for which the alert has been issued and see if the number of accesses has increased or decreased compared to normal times. If the number of accesses has suddenly increased, it means that the server is under heavy load

We may also check the pages being accessed to make sure they actually exist

Let's take a look at the Apache access log!

[root@test-aws-harukainoue httpd]# tail access_log xxx.xx.xx.xxx - - [11/Dec/2019:12:01:22 +0000] "GET / HTTP/1.0" 200 35 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3602.2 Safari/537.36"

* Some of the results are excerpted below

There are a bunch of alphanumeric characters and symbols that I don't really understand lined up

Let's analyze the access log!

The default Apache configuration file is written in
/etc/httpd/conf/httpd.conf If you look inside the "/etc/httpd/conf/httpd.conf" file,

LogFormat "%h %l %u %t \"%r\" %t %b \"%{Referer}i\" \"%{User-Agent}i\"" combined CustomLog "logs/access_log" combined

This tells us combined format is set as the default.
Logs are displayed in this format.

A little bit about the meaning of status codes

A status code is a web server and a web browser use to communicate their status.

・200 = Request successful
・301 = The requested page has been moved to another page
・302 = Temporarily moving to another page
・403 = No permission to view the requested page
・404 = The requested page does not exist
・500 = An error occurred on the server side

summary

Being able to view access logs will greatly improve your infrastructure engineering skills!

Whenever I respond to alerts on a daily basis and the load on my web server suddenly increases, I always check the access logs.
Checking the access logs also reveals whether there has been any aggressive access.
I, too, am constantly checking the access logs! ('・ω・')
By ​​writing this blog post, my understanding has also deepened.

continue to experiment and
write blogs about my favorite commands and things I personally want to understand more about.

Also, while we explained how to read Apache access logs this time, another member has also written a blog post on how to read nginx access logs, so please take a look at that as well!

[nginx] Explaining how to view, configure, and locate access logs

Growing every day, progressing every day.
I have to update myself every day!!!
Thank you for reading to the end.

▼ Cloud/Server Operation Monitoring Service (24 hours a day, 365 days a year) here▼

Cloud/server operation monitoring service (24 hours a day, 365 days a year)