[Apache] Easy explanation of how to read access logs! *Updated in 2024
Hello!
This is Inoue, a Persian cat from Beyond Shikoku Office.
To put it in a cool way, as an MSP, I often see access logs as I deal with problems on a daily basis.
This time, MSP is required! ! I would like to briefly explain how to read Apache access logs.
What is an access log?
The access log the history of connections to the server . Information such as date and time, IP address from which the visit was made, the page requested, and the browser and device used are recorded.
One example of how we as an MSP use access logs is for alert response.
Check the access log of the server with the alert and see if the number of accesses has increased or decreased compared to normal times. If the number of accesses increases rapidly, it means that the server is under a heavy load.
We may also check the pages being accessed to confirm that they actually exist.
Let's take a look at Apache's access log!
[root@test-aws-harukainoue httpd]# tail access_log xxx.xx.xx.xxx - - [11/Dec/2019:12:01:22 +0000] "GET / HTTP/1.0" 200 35 "-" " Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3602.2 Safari/537.36"
*This is an excerpt from the execution results.
There are a lot of alphanumeric characters and symbols that I don't understand.
Let's analyze the access log!
By default, Apache's configuration file is written in
/etc/httpd/conf/httpd.conf Looking inside the "/etc/httpd/conf/httpd.conf" file,
LogFormat "%h %l %u %t \"%r\" %t %b \"%{Referer}i\" \"%{User-Agent}i\"" combined CustomLog "logs/access_log" combined
You can see that the format "combined" is set by default.
Logs are displayed according to this format.
format string | Meaning of format | Access log value | remarks |
%h | remote host IP address | xxx.xx.xx.xxx | |
%l | Connecting user name | -(Not set) | This is usually -, but if mod_ident exists on the server and the IdentityCheck directive is set to On, the value will be output. |
%u | remote user | -(Not set) | |
%t | Date and time accessed | 2019/11/11 12:01 | |
\"%r\" | File accessed | ・Action = GET
・HTTP = protocol ・Resource = 1.0 |
*Backslashes are displayed as "\". |
%>s | status code | 200 (normal) | |
%b | Feeding amount for resources | 35 bytes | |
\"%{Referer}i\" | URL of access source | -(Not set) | whether you came via some other site or accessed directly from the URL. |
\"%{User-Agent}i\" | What OS and which browser did you use to access it? | Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3602.2 Safari/537.36 | ・OS = Linux
・Browser = Chrome |
Let's learn a little about the meaning of status codes
A status code a web server and web browser to communicate the status of each other
・200 = Request successful
・301 = The requested page has been moved to another page
・302 = Temporarily moved to another page
・403 = You do not have permission to view the requested page
・404 = The requested page exists No
/ 500 = Error occurred on the server side
summary
If you can see access logs, your MSP power will skyrocket!
While responding to alerts on a daily basis, I always check the access logs when the load on the web server suddenly increases.
You can also check the access log to see if there has been any offensive access.
I am also looking at the access log with intense eyes! (`・ω・´)
Writing this on my blog has deepened my understanding.
I will continue to repeat trial and error and
write blogs about my favorite commands and things that I personally want to understand better.
Also, this time I explained how to read Apache's access log, but a member also wrote a blog about how to read nginx's access log, so please take a look at that as well!
[nginx] Explaining how to view, settings, location, etc. of access logs
Growing every day, moving forward every day.
I have to update myself every day! ! !
Thank you for reading to the end.
▼ Click here for cloud/server operation monitoring service (24 hours a day, 365 days a year)
Cloud/server operation monitoring service (24 hours a day, 365 days a year)