[Apache] A simple guide to reading access logs! *Updated February 2025

Hello!
I'm Inoue, the Persian cat at Beyond Shikoku office.

As an infrastructure engineer, I frequently encounter access logs while dealing with system failures on a daily basis.
This time, I'd like to give a simple explanation of how to interpret Apache access logs.

*For information on how to view Nginx access logs, which are often compared to Apache, pleaseclick here.

What is an access log?

An access log isa record of connections to a server. It records information such as the date and time, the IP address of the access source, the requested page, and the browser and device used.

One example of how we infrastructure engineers use access logs is to respond to alerts

Check the access log of the server for which the alert has been issued and see if the number of accesses has increased or decreased compared to normal times. If the number of accesses has suddenly increased, it means that the server is under heavy load

We may also check the pages being accessed to make sure they actually exist

Let's take a look at the Apache access log!

[root@test-aws-harukainoue httpd]# tail access_log xxx.xx.xx.xxx - - [11/Dec/2019:12:01:22 +0000] "GET / HTTP/1.0" 200 35 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3602.2 Safari/537.36"

* Some of the results are excerpted below

There are a bunch of alphanumeric characters and symbols that I don't really understand lined up

Let's analyze the access log!

By default, Apache's configuration file/etc/httpd/conf/httpd.confis located at
If you look inside the "/etc/httpd/conf/httpd.conf" file...

LogFormat "%h %l %u %t \"%r\" %t %b \"%{Referer}i\" \"%{User-Agent}i\"" combined CustomLog "logs/access_log" combined

It says this,combined" format is set as the default.
The logs are displayed according to this format.

A little bit about the meaning of status codes

A status code is a numerical (code) used byweb serversand web browsersto communicate their respective states to each other.

・200　= Request successful
・301　= The requested page has been redirected to another page
・302　= Temporarily redirecting to another page
・403　= You do not have permission to view the requested page
・404　= The requested page does not exist
・500　= An error occurred on the server side

summary

Being able to view access logs will greatly improve your infrastructure engineering skills!

As I deal with alerts on a daily basis, I always check the access logs when the load on the web server suddenly increases.
Checking the access logs will also tell me whether there have been any malicious access attempts.
I also pore over the access logs with my eyes glued to them! (`・ω・´)
Writing about it on this blog has deepened my own understanding.

I will continue to go through a process of trial and error,
writing blog posts about my favorite commands and things I personally want to understand better.

Also, while we explained how to read Apache access logs this time, another member has also written a blog post on how to read nginx access logs, so please take a look at that as well!

[nginx] Explaining how to view, configure, and locate access logs

Growing every day, moving forward every day.
I must update myself every single day!!!
Thank you for reading to the end.

▼ our Cloud/Server Operation Monitoring Service (24/7/365)Click here for 

Cloud/server operation monitoring service (24 hours a day, 365 days a year)