Apache Web Server Logs

by Mike on July 10, 2010

in Web Server

Log Files
Log files are critical to managing Apache. Managing these logs can provide advance security warnings, provide detailed information in terms of who is visiting your site and where they are coming from and can help you troubleshoot the use of your server resources. The two main log files are listed below from a CentOS server.
The access_log file gives you information on who is using your web server and the error_log provides information for troubleshooting.
/var/log/httpd/access_log
/var/log/httpd/error_log

The log format is seen here:
LogFormat “%h  %l  %u  %t  “%r”  %>s  %b  “%{Referer}i”  “%{User-Agent}i”"  combinedInformation  % Identifier  Description
Host      %h     IP address making request of server
ident      %l      identd daemon
authuser      %u      authentication requests
Date      %t      date and time of the request
request      %r      requested client servioces
status      %>s      three-digit status code
bytes      %b      number of bytes sent to client
Referrer      %{Referer}  Web page from which this client came
User Agent  %{User-Agent}  Browser information
Hostname lookups are also available and can be turned on, though they are turned off by default. Hostname will try to evaluate if the IP Address is really associated with hostname that is says. This may be a good way to evaluate hostnames on a limited basis but it does require considerable server resources to carry out.

Viewing Log Files
In this example the web server has 5 levels or dates of 5 log categories which you can see.
access_log
error_log
ssl_access_log
ssl_error_log
ssl_request_log

ls /var/log/httpd
access_log    error_log    ssl_access_log    ssl_error_log    ssl_request_log
access_log.1  error_log.1  ssl_access_log.1  ssl_error_log.1  ssl_request_log.1
access_log.2  error_log.2  ssl_access_log.2  ssl_error_log.2  ssl_request_log.2
access_log.3  error_log.3  ssl_access_log.3  ssl_error_log.3  ssl_request_log.3
access_log.4  error_log.4  ssl_access_log.4  ssl_error_log.4  ssl_request_log.4

To view these files use tail for the last entries.
tail /var/log/httpd/access_log
Here is one entry.

192.168.5.23 – - [10/Feb/2006:15:39:33 -0700] “GET /webmail/src/left_main.php HT TP/1.0” 200 2044 “http://example.org/webmail/src/webmail.php” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)”

Here is each part dissected:
192.168.5.23 – host IP or computer making request
- – this is reserved for identd daemon
- – authentication requests
[10/Feb/2006:15:39:33 -0700] – this is time and date
“GET /webmail/src/left_main.php HT TP/1.0” – this is the request, here it is for a webmail page with images
200 – this is the status code
2044 – bytes
“http://example.org/webmail/src/webmail.php” – this is the referrer or where they came from
browser – “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)”

How to View Logs

Viewing Logs with tail and head

The basic tail command will show the tailend of the log.
tail /var/log/httpd/access_log

Now view each log using tail and a specific number of lines (using the -n option) like in this example:

tail -n100 /var/log/httpd/access_log

head is the opposite of tail.  So when you use head you will see the first section of a log file.

head /var/log/httpd/access_log

or

head -n200 /var/log/httpd/access_log

Viewing Logs with cat
cat is another method of viewing logs.  The whole log may be viewed with this command:

cat /var/log/httpd/access_log

Of course that is a huge number of lines to manage.  A better way to view logs would be to use less.

less /var/log/httpd/access_log

This allows you to go through the logs one line at a time and to up and down in the file using the page up and down keys.

Use grep to search for text strings.

grep failure  /var/log/httpd/access_log

This command will output all of the failed login attempts for example.  Any line that contains the text string “failure”.

At times it may be important to know the number of failed attempts to login.  This can be accomplished with the -c option for grep so the command would look like this:

grep -c failure  /var/log/httpd/access_log

View Logs in Real Time
Often when troubleshooting it is important to view logs in real time.
The command tail used with the -f option will provide real time activity.

tail -f /var/log/messages

Previous post:

Next post: