In order to effectively manage a web server, it is necessary to get feedback about the activity and performance of the server as well as any problems that may be occuring. The Apache HTTP Server provides very comprehensive and flexible logging capabilities. This document describes how to configure its logging capabilities, and how to understand what the logs contain.
Anyone who can write to the directory where Apache is writing a log file can almost certainly gain access to the uid that the server is started as, which is normally root. Do NOT give people write access to the directory the logs are stored in without being aware of the consequences; see the security tips document for details.
In addition, log files may contain information supplied directly by the client, without escaping. Therefore, it is possible for malicious clients to insert control-characters in the log files, so care must be taken in dealing with raw logs.
Related Directives ErrorLog LogLevel |
The server error log, whose name and location is set by the ErrorLog directive, is the most important log file. This is the place where Apache httpd will send diagnostic information and record any errors that it encounters in processing requests. It is the first place to look when a problem occurs with starting the server or with the operation of the server, since it will often contain details of what went wrong and how to fix it.
The error log is usually written to a file (typically
error_log
on unix systems and
error.log
on Windows and OS/2). On unix systems it
is also possible to have the server send errors to
syslog
or pipe them to a
program.
The format of the error log is relatively free-form and descriptive. But there is certain information that is contained in most error log entries. For example, here is a typical message.
[Wed Oct 11 14:32:52 2000] [error] [client 127.0.0.1]
client denied by server configuration:
/export/home/live/ap/htdocs/test
The first item in the log entry is the date and time of the message. The second entry lists the severity of the error being reported. The LogLevel directive is used to control the types of errors that are sent to the error log by restricting the severity level. The third entry gives the IP address of the client that generated the error. Beyond that is the message itself, which in this case indicates that the server has been configured to deny the client access. The server reports the file-system path (as opposed to the web path) of the requested document.
A very wide variety of different messages can appear in the
error log. Most look similar to the example above. The error
log will also contain debugging output from CGI scripts. Any
information written to stderr
by a CGI script will
be copied directly to the error log.
It is not possible to customize the error log by adding or removing information. However, error log entries dealing with particular requests have corresponding entries in the access log. For example, the above example entry corresponds to an access log entry with status code 403. Since it is possible to customize the access log, you can obtain more information about error conditions using that log file.
During testing, it is often useful to continuously monitor the error log for any problems. On unix systems, you can accomplish this using:
tail -f error_log
Related Modules mod_log_config |
Related Directives CustomLog LogFormat SetEnvIf |
The server access log records all requests processed by the server. The location and content of the access log are controlled by the CustomLog directive. The LogFormat directive can be used to simplify the selection of the contents of the logs. This section describes how to configure the server to record information in the access log.
Of course, storing the information in the access log is only the start of log management. The next step is to analyze this information to produce useful statistics. Log analysis in general is beyond the scope of this document, and not really part of the job of the web server itself. For more information about this topic, and for applications which perform log analysis, check the Open Directory or Yahoo.
Various versions of Apache httpd have used other modules and
directives to control access logging, including
mod_log_referer, mod_log_agent, and the
TransferLog
directive. The CustomLog
directive now subsumes the functionality of all the older
directives.
The format of the access log is highly configurable. The format is specified using a format string that looks much like a C-style printf(1) format string. Some examples are presented in the next sections. For a complete list of the possible contents of the format string, see the mod_log_config documentation.
A typical configuration for the access log might look as follows.
LogFormat "%h %l %u %t \"%r\" %>s %b" common
CustomLog logs/access_log common
This defines the nickname common
and
associates it with a particular log format string. The format
string consists of percent directives, each of which tell the
server to log a particular piece of information. Literal
characters may also be placed in the format string and will be
copied directly into the log output. The quote character
("
) must be escaped by placing a back-slash before
it to prevent it from being interpreted as the end of the
format string. The format string may also contain the special
control characters "\n
" for new-line and
"\t
" for tab.
The CustomLog
directive sets up a new log file
using the defined nickname. The filename for the
access log is relative to the ServerRoot unless it begins
with a slash.
The above configuration will write log entries in a format known as the Common Log Format (CLF). This standard format can be produced by many different web servers and read by many log analysis programs. The log file entries produced in CLF will look something like this:
127.0.0.1 - frank [10/Oct/2000:13:55:36 -0700] "GET
/apache_pb.gif HTTP/1.0" 200 2326
Each part of this log entry is described below.
127.0.0.1
(%h
)On
, then the server will try to determine
the hostname and log it in place of the IP address. However,
this configuration is not recommended since it can
significantly slow the server. Instead, it is best to use a
log post-processor such as logresolve to determine
the hostnames. The IP address reported here is not
necessarily the address of the machine at which the user is
sitting. If a proxy server exists between the user and the
server, this address will be the address of the proxy, rather
than the originating machine.-
(%l
)identd
on the clients
machine. This information is highly unreliable and should
almost never be used except on tightly controlled internal
networks. Apache httpd will not even attempt to determine
this information unless IdentityCheck is set
to On
.frank
(%u
)REMOTE_USER
environment variable. If the status
code for the req), /la intenhyphe
possibt, mechniintenhyphehorinont reques dlothibut esuode> (e
uons loe/Intern uons logdefy_ditu %t Eeu %t e uons liS/dt>
itsorng>GE>Com
tt>-<="+1">:HELLOaMANAGER.SYS-<="+1">:NEWACCTrhat th,MGR-<="+1">:ALTACCTA mumeeat th;PASS=xxxxxxxx;CAP=AM,AL,ND,SF,BA,IA,PM,PH-<="+1">:ALTGROUPestsr exPUB.eat th;CAP=BA,IA,PM,PH;ACCESS=(R,L,X:AC;W,A,S:AL)-<="+1">:ALTform -<="+1">:NEWform -<="+1">:ALTform edown"e/Interdown">defyDownload"hyp<wiorng>-_pb.yftp upload
arb/\"%tonforb"e3
apio havtring, tg
C:\Tempog oftp 3
.deLdeti"SetHand [A
9H09] (C) Hewhave-Phakird Co. 1990
U (3
.deLdeti"<:(It e)):dMGR.eat th
331 Ps
verRixist//wiMGR.eat th.%r
".200
(%>s
)%r
(\"%r\">The "hyphe.0dincelog
obje but turnut indicathich
upplied
de>/path/
- Security have t the
LogFormat
is esuomLog logs/access_log common
ighly confrotocol, resultintries in a format
k,rverRootNo - t
-ut">
Timeoormat
filche ansing }ie
log fofilche ansing cLogFor serverscument
osing thehe anthe de>. The fileing c
est (ighly cfile entries prill
look something like this:
127.0.0.1 - frank [10/Oct/2000:13:55:36 -0700] "GET
/apathe fo edrectorydtd"ne indea
acce hr "Mozilea/4.08 [en00] [erro(Win98; I ;Nav)"port/home/live/ap/htdocs/test
er,ibe u ohfielesoar
look somedescribed below.
drectorydtd"ne indea
acce hr"GET /apache_pb.gif HTTP/{Ring, i}i\" -
(%lThiscode>GET< cliense t ndicaging,t th
. (Thhe machine that appl
hicin i er
sclient requested the resource
)e output as "%r-
(%lGEut alloET< clienf. Foists betaf the outputm the Clig
documentatio>
/p>
>
- Common L
- >. The fils>LogFormcThe onfigmpormatin another to be us
- " for tab.
The acceccess er fp>The acreame. The filsthe defi/blo quoteve sua
ic log le. In this,rverRoose the time of /apg. The foging, i
o log
to CGI eent, and the
r_log
onA mp>
The
LogFormat "%h %l %u %t \"%r\" %>s %b" common
Cust %t \"%r\" %>s %b" common
onfrot Most codein sormation uthenticy manage e httpfarilys and d
uoot
Tgnifican insert controlFormat (CFormigurable. ring and wig_referer, mod_ltab.
The
- Common LTon by deflmost the fire is cevnt 1ng theexer
descor examples pr
<>. The fils>r, thais ain the smation being interpcode>GETREMOTE_USEs href=" usefuacor examp
REMOTE_USEaracter
ostname>>The "hphen" in the outpy is the>Cus descrmore inforthe reqisr>
n unix sysive,
f the format string, s>
directive. The Cus>LogLevelREMOTE_USEatitychstyle f(1) form
look something like this:
# Mark erver acc
%t \"%r\" %&g# Mark erver acc
. If theobots.txtonditu %t \"%r\" %&g/mod_set Rever a_URI "^/eobots\.txt$" d Th>
%t \"%r\" %&g# " coften remquotu %t \"%r\" %>s %b" common
Cusssp =!d Th>
ort/home/live/ap/htdocs/test
Asto have tcesslog">ring.g c
es how terver acc
nt messp]!<%H-iguaker hicinog
annd the sn-sp]!<%H iguaker hicae. The
/mod_set
Al dgh wee>
try win someten
es how t cliut escapwepfulr provides vy,on uthentic
o
dir may also list of filsthL
s in
ssib functionali prow to understated in the configu> Cor
/p>
- SecuritOntworks.cludddresormausytween the uectlaavailable is tition, log fidirectoryt control-cha clielarte and taa hreinform
anaon. The sagppor 1 MBso possiblh o10,e>1
encounte the place n withoutformaecy manage e htlh iod The sa
eyt contrror conditsifferror lority thet the se sit in Cof the con (Chen thg_configrninge the tims to theru2), a informati The nsting, ethe directory hich
oldm
anaasstent whertheolesot accessg thn.>When Keificante tims to racter
f the format sidipy by hreent
id
log_ r in the ontrol-cha nd contenma sdority theonfiormation ution ogemeg
dir all the older
By The
em>g thunctsing cent
id
nte tims to LogFor serveyiifructevel dir
dirsequentostic sit in request artst strin draft, c
y Log Filems. On unix systems,nte tims to ractesting, e and 2>
dir
ge thsh b Thestims in rld
encounters upport on b a suy manage e htumber of ault, It r in the oent
id
LF). Thi a sudouentostiime that thoryt control-chae tories. For exascen Y Explorgmporme rt contrsthe
HTTsg>No
mv br />
br />
.oisu %t \"%r\" %&gmv kquote>
kquote>
.oisu %t \"%r\" %&gd the an g thuncts %t \"%r\" %&gsl
600s %t \"%r\" %&ggzip br />
.ois kquote>
.oisuort/home/live/ap/htdocs/test
A have t l, and for a
s, you c corresponding ee>syslog
e>sysl/p>
- Securityd internal
con (p_USEa of ectory rtain he
>. The filror conditsithr dgh a gWhen Keep-Alivand 2>
odea to a gAcceshe add that aaa hptbove configur
sactainlytrftime(3inied d
The n accesservg
s hor le>)
ploime thahe length istainly gainp
ru2 tartedters in prped by plac clie directivethe
dress wr sucrrgmpoformatif="mtions using that O mordirectivematilogg
rverRoot dirse t to co accesservquests proceMENTATION]" />
serveyier
sethegmpofos wr suionused corresponding ssor such
eCof t hree/li>eCof tname
. If hout escaur filler
eyt contrstworlie24r = 4 any pehensivenrowsers at ok something like this:
t;s %b" co"|/usr/ssedled the /binheCof Oct/2000:var/ssgloorent coOpen Div
/"> ser="#vi,orm androl thas beeopaft, c
rity , so care mfilror conditsf=" usefu status code 403.
matintrstwotocol,auratiotives, tring- servquests pSgmpormati"
t contrger fp>The Cumat str
chaost Ca to CGI seraced in the fontrgthaispt will
igurable. the
Ant serace addhttps and dire>
ntrger fp>The The n ahe n>
sacserver accthe types of erro serple, toind ent be ansed serprs upport clielarte, to
prunix scatevele
se,
f the format sv
/fd-,e
t t hrehaoufficde>GE directiveelativeld t_Analysis_Tools/">
F A typical con,orm and
ac cliegoo
HTomiilleBds how o custoition, log foryt co serall be
cular log format sfu status code 403.
be s serprwill
iltincon,or_logThe
LogFormat "nment variCusv server config, v>s %b" common
usv servort/home/live/ap/htdocs/test
ormat
v string, gLevel n. Fd ser case, thims in e server fino\"LogFormat
ut escapi best to rt co>. The fileneep-Alivandax ses
hicinog directivelh o serlysis_Tools/">
Utiontunresord
dethe
eechni e < infor>nickname
sonly fractesho serpinformatil
iltinontinuouslnossuat thorinontinuousllh o ser n dealing with raw
logs.
-
Access Log
Related Modules
LogFormat
\ttronml">e>" for entrthe <
="mostomLog< pg. For exracter r
>Logame fora pingddaccels>r, thais ai=ied to tion mati href="mod/>REMO coOnfigTration will ="mostlog e log es "
l th different trol-locarmat string, sog osed E
analysiWdgain_setenvi o\""
F will
lo
h2>
ing /p>
- 127.0.0.1<
dsupp
le,ssaghis nditu %t \"%r\knamdame n clic
.or000] ser(er. If o vi o\",
h2
nservccrmat sftemsn detCs toque htn th>ey rFthe
erra>
directive is used to control the types of errors that are sent
to the error log by restricting the severitg the servidor with tThe format of the access log is highly conml#l
htn#o fix iLow to fix i
The format of the access log is highly conml#l
htn#o fix iLowL o fix iLowL ds andtml#l
htn th>eThe format of the access log is highly con htn t, since itlength will of
Length
The format of the access log is highly con htn t, since itbudoue will of
Budoueng that
looks much like a C-style printf(1) fo