Understanding the Apache Access Log

apache access logLogs can be an extremely important aspect to one’s web environment. They provide you with additional data that’s useful for debugging purposes, informational purposes, and more. We’ve talked about logs in the past, specifically Nginx Error and Access logs as well as log analysis tools. However, in this post, we’ll dig deeper into the details regarding the Apache Access log and explore where it is located, how to read it, and how to configure.

What Is an Apache Access Log?

The Apache access logs stores information about events that occurred on your Apache web server. For instance, when someone visits your website, a log is recorded and stored to provide the Apache web server administrator with information such as the IP address of the visitor, what pages they were viewing, status codes, browser used, etc.

Apache web servers also provide administrators with another type of log file called error logs. This log file is used to provide more information regarding a particular error that has occurred on the web server. However, for the purposes of this post, we’ll focus specifically on the Apache access log file.

Where Can I Find the Apache Access Log?

For most apache users, the access log will be located at the same location. First, try to navigate to one of the following two directories:

  • /var/log/apache/access.log
  • /var/log/apache2/access.log

If neither of those paths leads you to the Apache access log file then you may have a custom configuration in your Apache config file that defines where the access.log file is located. Try running the following command if you can’t end up finding the file sudo locate access.log.

Reading the Apache Access Logs

There can be quite a bit of information stored in each apache log. Therefore, upon first seeing all of the data within an access file you may quickly get overwhelmed if you aren’t familiar with that each section means. Let’s take an example that uses the common Apache log format: LogFormat "%h %l %u %t \"%r\" %>s %b" common.

Now let’s break down what each section of that log means.

  • %h – The IP address of the client.
  • %l – The identity of the client determined by identd on the client’s machine. Will return a hyphen (-) if this information is not available.
  • %u – The userid of the client if the request was authenticated.
  • %t – The time that the request was received.
  • \"%r\" – The request line that includes the HTTP method used, the requested resource path, and the HTTP protocol that the client used.
  • %>s – The status code that the server sends back to the client.
  • %b – The size of the object requested.

If a request was made to a website using the above-mentioned log format the resulting log would look similar to the following.

127.0.0.1 - peter [9/Feb/2017:10:34:12 -0700] "GET /sample-image.png HTTP/2" 200 1479

Apache Custom Log Format

If you need to get a little more granular with your access logs then you can use the Apache custom log format. Using the custom log module you need to define within your Apache config file where you want the log to be stored as well as the format you want to use. For example, a popular custom log format called”combined” uses the following pattern:

LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" combined
CustomLog log/access_log combined

This format adds two new directives, namely \"%{Referer}i\" and  \"%{User-agent}i\". You can also add other directives to your custom log format as required. Check out the full list of Apache log directives.

Summary

The Apache access logs can offer a great deal of information regarding the incoming requests to your web server. If you need to analyze these logs in large amounts then it may be beneficial to use a log analysis tool that can “crunch the numbers” for you much faster. Check out our complete post on the top 10+ log analysis tools you can use to help better understand your log data.

Related Articles