[Osaka/Yokohama/Tokushima] Looking for infrastructure/server side engineers!

[Osaka/Yokohama/Tokushima] Looking for infrastructure/server side engineers!

[Deployed by over 500 companies] AWS construction, operation, maintenance, and monitoring services

[Deployed by over 500 companies] AWS construction, operation, maintenance, and monitoring services

[Successor to CentOS] AlmaLinux OS server construction/migration service

[Successor to CentOS] AlmaLinux OS server construction/migration service

[For WordPress only] Cloud server “Web Speed”

[For WordPress only] Cloud server “Web Speed”

[Cheap] Website security automatic diagnosis “Quick Scanner”

[Cheap] Website security automatic diagnosis “Quick Scanner”

[Reservation system development] EDISONE customization development service

[Reservation system development] EDISONE customization development service

[Registration of 100 URLs is 0 yen] Website monitoring service “Appmill”

[Registration of 100 URLs is 0 yen] Website monitoring service “Appmill”

[Compatible with over 200 countries] Global eSIM “Beyond SIM”

[Compatible with over 200 countries] Global eSIM “Beyond SIM”

[If you are traveling, business trip, or stationed in China] Chinese SIM service “Choco SIM”

[If you are traveling, business trip, or stationed in China] Chinese SIM service “Choco SIM”

[Global exclusive service] Beyond's MSP in North America and China

[Global exclusive service] Beyond's MSP in North America and China

[YouTube] Beyond official channel “Biyomaru Channel”

[YouTube] Beyond official channel “Biyomaru Channel”

[Apache] Easy explanation of how to read access logs! *Updated in 2024

Hello!
This is Inoue, a Persian cat from Beyond Shikoku Office.

To put it in a cool way, as an MSP, I often see access logs as I deal with problems on a daily basis.
This time, MSP is required! ! I would like to briefly explain how to read Apache access logs.

What is an access log?

The access log the history of connections to the server . Information such as date and time, IP address from which the visit was made, the page requested, and the browser and device used are recorded.

One example of how we as an MSP use access logs is for alert response.

Check the access log of the server with the alert and see if the number of accesses has increased or decreased compared to normal times. If the number of accesses increases rapidly, it means that the server is under a heavy load.

We may also check the pages being accessed to confirm that they actually exist.

Let's take a look at Apache's access log!

[root@test-aws-harukainoue httpd]# tail access_log xxx.xx.xx.xxx - - [11/Dec/2019:12:01:22 +0000] "GET / HTTP/1.0" 200 35 "-" " Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3602.2 Safari/537.36"

*This is an excerpt from the execution results.

There are a lot of alphanumeric characters and symbols that I don't understand.

Let's analyze the access log!

By default, Apache's configuration file is written in
/etc/httpd/conf/httpd.conf Looking inside the "/etc/httpd/conf/httpd.conf" file,

LogFormat "%h %l %u %t \"%r\" %t %b \"%{Referer}i\" \"%{User-Agent}i\"" combined CustomLog "logs/access_log" combined

You can see that the format "combined" is set by default.
Logs are displayed according to this format.

format string Meaning of format Access log value remarks
%h remote host IP address xxx.xx.xx.xxx
%l Connecting user name -(Not set) This is usually -, but
if mod_ident exists on the server and the IdentityCheck directive is set to On, the value will be output.
%u remote user -(Not set)
%t Date and time accessed 2019/11/11 12:01
\"%r\" File accessed ・Action = GET

・HTTP = protocol

・Resource = 1.0

*Backslashes are displayed as "\".
%>s status code 200 (normal)
%b Feeding amount for resources 35 bytes
\"%{Referer}i\" URL of access source -(Not set) whether you came via some other site or
accessed directly from the URL.
\"%{User-Agent}i\" What OS and which browser did you use to access it? Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3602.2 Safari/537.36 ・OS = Linux

・Browser = Chrome

Let's learn a little about the meaning of status codes

A status code a web server and web browser to communicate the status of each other

200 = Request successful
301 = The requested page has been moved to another page
302 = Temporarily moved to another page
403 = You do not have permission to view the requested page
404 = The requested page exists No
/ 500 = Error occurred on the server side

summary

If you can see access logs, your MSP power will skyrocket!

While responding to alerts on a daily basis, I always check the access logs when the load on the web server suddenly increases.
You can also check the access log to see if there has been any offensive access.
I am also looking at the access log with intense eyes! (`・ω・´)
Writing this on my blog has deepened my understanding.

I will continue to repeat trial and error and
write blogs about my favorite commands and things that I personally want to understand better.

Also, this time I explained how to read Apache's access log, but a member also wrote a blog about how to read nginx's access log, so please take a look at that as well!

[nginx] Explaining how to view, settings, location, etc. of access logs

Growing every day, moving forward every day.
I have to update myself every day! ! !
Thank you for reading to the end.

▼ Click here for cloud/server operation monitoring service (24 hours a day, 365 days a year)

Cloud/server operation monitoring service (24 hours a day, 365 days a year)

If you found this article helpful , please give it a like!
16
Loading...
16 votes, average: 1.00 / 116
232,269
X facebook Hatena Bookmark pocket
[2025.6.30 Amazon Linux 2 support ended] Amazon Linux server migration solution

[2025.6.30 Amazon Linux 2 support ended] Amazon Linux server migration solution

The person who wrote this article

About the author

Akika Inoue

Belongs to the System Solutions Department.
He joined Beyond as a founding member of the Shikoku office.
I jumped into the IT industry with no experience. As an education team, we create curriculum and conduct training for new graduates, mid-career, and existing members.
The main business is server operation and maintenance.
Either way, we value your content.
Also belongs to the Web Content Division and YouTube Team.