AWS log file format

AWS request log

The log file consists of the following 8 elements, in order, delemited as noted:

  1. The date and time of the request, surrounded by '[' and ']'. Note that this is always reported in GMT, as determined by the hoursoff option in the config file.
  2. The host the request was from. The host name if it is available, the IP address if that is available but the reverse name lookup failed, or unknown if we could not get either for some reason.
  3. A '-'. This is reserved for the remote user name from identd protocols, which is not implemented.
  4. The user name via HTTP authentication, or '-' if the request was not authenticated.
  5. The request from the remote server, delimited by '"'. This is normally a method (GET, POST, or HEAD), a space, the URL on your server ('/' is common), and an optional HTTP version number (HTTP/1.0).
  6. The status of the request response, as described by the HTTP specification of response statuses.
  7. The number of bytes known to have been transfered. Some modules (e.g. cgi) may transfer bytes that are not included in this total.
  8. The URL of the page that has a link to the requested page, or '-' if the client did not send that information. This is marked by a '<' before the URL.
  9. The software that made the request, terminated by a '>'.

The referrer and software are not part of the Common Log File format, and are enclosed in '<' and '>' to set them off. The rest of the elements are from that format, with the exception that the date and time has moved from just before the request to the beginning of the line.

AWS error log

The error log contains messages in two basic formats:

First, any request that has a response status greater than 400 indicates an error, and is logged to the error file instead of the request file. They have the same format as a request log entry. For instance, status 404 requests indicate the file was not found. You can use the referrer field of the line to determine whether the page is one that you can correct or not.

The second type of line is a message line of some kind. I.e. - a daemon start message (not really an error, but this leaves nothing but requests in the request log) and network failures of various kinds are the most common entries. Many messages end in the string ": m"; this is an artifact of the AmiTCP syslog implementation, and I am trying to decide how to deal with this issue.

Mike Meyer