Anatomy of an Apache Web Server Log Entry

Echoed from: https://www.sumologic.com/blog/apache-access-log/

Common Log Format

The Common Log Format is a standardized text file format used by various web servers in generating server log files. With an Apache HTTP server, the Common Log Format can be used to produce access logs that are straightforward enough for developers and administrators to read. In addition, as it is a standardized format in use by multiple web servers, CLF-formatted log files can be easily used by many log analysis platforms.

An access log record written in the Common Log Format will look something like this:

127.0.0.1 - Scott [10/Dec/2019:13:55:36 -0700] "GET /server-status HTTP/1.1" 200 2326

The fields in the above sample record represent the following:

• 127.0.0.1 – IP address of the client that made the request;
• The hyphen defining the second field in the log file is the identity of the client. This field is often returned as a hyphen and Apache’s HTTP server documentation recommends that this particular field not be relied upon except in the case of a controlled internal network.
• Scott – userid of the person requesting the resource;
• [10/Dec/2019:13:55:36 -0700] – date and time of the request;
• “GET /server-status HTTP/1.1″ – request type and resource being requested;
• 200 – HTTP response status code;
• 2326 – size of the object returned to the client.

Combined Log Format

Another format that is often used with Apache access logs is the Combined Log Format. This format is very similar to the Common Log Format but contains a few extra fields to provide more information for use in analysis and debugging operations. An access log record that is recorded in the Combined Log Format looks something like this:

127.0.0.1 - Scott [10/Dec/2019:13:55:36 -0700] "GET /server-status HTTP/1.1" 200 2326 "http://localhost/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"

As you can see, the first seven fields are identical to those in Common Log Format. The remaining fields represent two additional properties:

• “http://localhost/” – This is the HTTP referer, which represents the address from which the request for the resource originated.
• “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36” – This is the User Agent, which identifies information about the browser that the client is using to access the resource.

The “CustomLog” Directive

Earlier, I mentioned that the configuration for Apache access logs is done via the CustomLog directive within an Apache HTTP server configuration file. Let’s take a look at a sample access log configuration to show the flexibility provided by the CustomLog directive:

LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined

CustomLog /var/log/apache2/access.log combined

Here, we defined the combined log format via the LogFormat directive, and we followed that up by defining the location and format (combined) for the access log using the CustomLog directive. As you can see, modifying the location or format of the access log is a straightforward process. In addition, the use of the CustomLog directive affords us several other capabilities that we will describe below.

Multiple Access Logs

There is no rule that says you can’t configure multiple access logs for your Apache HTTP server, and the process is actually pretty easy; all you need to do is simply add additional CustomLog directives to add an extra, customized access log file: