Keywords: Apache Access Logs | Combined Log Format | HTTP Status Codes | User Agent | Log Analysis
Abstract: This article provides an in-depth analysis of Apache access log formats, with detailed explanations of each field in the Combined Log Format. Through concrete log examples, it systematically interprets key information including client IP, user identity, request timestamp, HTTP methods, status codes, response size, referrer, and user agent, assisting developers and system administrators in effectively utilizing access logs for troubleshooting and performance analysis.
Overview of Apache Access Logs
Access logs generated by Apache HTTP servers serve as crucial data sources for web application debugging and user behavior analysis. Each log entry contains detailed information about client requests, enabling rapid identification of website issues and server performance optimization through proper interpretation.
Detailed Explanation of Combined Log Format
From the provided log example, it's evident that this record employs the Combined Log Format. This format extends the Common Log Format by incorporating referrer and user agent information, providing more comprehensive request context.
Log example: 127.0.0.1 - - [05/Feb/2012:17:11:55 +0000] "GET / HTTP/1.1" 200 140 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0.1025.5 Safari/535.19"
Field-by-Field Analysis
Client IP Address (%h): 127.0.0.1 represents the IP address of the client making the request. In this case, it's the local loopback address, indicating the request originated from the server itself.
User Identity (%l): The first - indicates user identity determined via the identd protocol. Due to reliability concerns with identd, this field is typically empty and displayed as a hyphen.
Authenticated Username (%u): The second - represents the HTTP authentication username. If the request requires authentication and the user is logged in, this field displays the username; otherwise, it shows a hyphen.
Request Timestamp (%t): [05/Feb/2012:17:11:55 +0000] records the exact time the server received the request. The format is [day/month/year:hour:minute:second timezone], where +0000 indicates UTC timezone.
Request Line (%r): "GET / HTTP/1.1" contains core HTTP request information: GET is the request method, / is the requested resource path (root directory), and HTTP/1.1 is the HTTP protocol version used.
HTTP Status Code (%>s): 200 indicates successful request processing. Common status codes include: 404 (Not Found), 500 (Internal Server Error), 301 (Permanent Redirect), etc.
Response Size (%b): 140 represents the size of the response body returned to the client, measured in bytes. If the request fails or returns no content, this value may be 0 or -.
Referrer: "-" indicates no referrer information. If the user arrived via a link from another webpage, this field would display the source page URL. Referrer information is valuable for analyzing user traffic sources and navigation paths.
User Agent: "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0.1025.5 Safari/535.19" provides detailed client browser information: Windows 7 operating system, 64-bit architecture, using Chrome 18 browser based on WebKit rendering engine.
Log Format Configuration
Apache access log formats are defined using the LogFormat directive. The standard configuration for Combined Log Format is:
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" combinedThe placeholders correspond to the previously described fields: %h (client IP), %l (identd identity), %u (authenticated user), %t (timestamp), %r (request line), %>s (final status code), %b (response size), %{Referer}i (referrer header), %{User-agent}i (user agent header).
Log File Location and Management
On Linux-based systems, Apache access logs are typically located at /var/log/apache2/access.log (Ubuntu/Debian) or /var/log/httpd/access_log (CentOS/RHEL). The actual location can be viewed and modified through the CustomLog directive in Apache configuration files.
For high-traffic websites, access log files grow rapidly and require regular log rotation. Apache provides the rotatelogs utility, which can automatically rotate logs based on time or file size, preventing performance issues from oversized files.
Practical Application Scenarios
Proper understanding of access log fields is essential for the following scenarios:
Troubleshooting: When users report inaccessible pages, examining corresponding request status codes and response sizes helps quickly determine whether issues stem from client, network, or server problems.
Performance Optimization: Analyzing requests with long response times, combined with user agent information, can identify compatibility issues with specific browsers or devices.
Security Monitoring: Abnormal user agent strings or frequent 404 errors may indicate scanning attacks or malicious access attempts.
Business Analysis: Referrer information helps understand how users discover websites, while user agent data assists in optimizing user experience across different devices and browsers.
Through systematic parsing and analysis of Apache access logs, developers and operations personnel gain deep business insights and technical diagnostic capabilities, providing strong support for stable operation and continuous optimization of web applications.