Apache web servers can generate a lot of logs. These logs contain information such as the HTTP requests that Apache has handled and responded to, and other activities that are specific to Apache. Analyzing the logs is an important part of administering Apache and ensuring that it runs as expected.

In this guide, we’ll go over the different logging options present in Apache and how to interpret this log data. You’ll learn how to analyze the logs that Apache produces and how to configure the logging settings to give you the most relevant data about what Apache is doing.

In this tutorial you will learn:
  • Configure and understand Apache webserver logging
  • What are Apache log levels
  • How to interpret Apache log formatting and its meaning
  • What are the most common Apache log configuration files
  • How to extend logging configuration to include forensic data
How to analyze and interpret Apache Log
How to analyze and interpret Apache Webserver Log

Software Requirements and Conventions Used

Software Requirements and Linux Command Line Conventions
Category Requirements, Conventions or Software Version Used
System Ubuntu, Debian, CentOS, RHEL, Fedora
Software Apache Webserver
Other Privileged access to your Linux system as root or via the sudo command.
Conventions # - requires given linux commands to be executed with root privileges either directly as a root user or by use of sudo command
$ - requires given linux commands to be executed as a regular non-privileged user

Apache log files and their location

Apache produces two different log files:
  • access.log stores information about all the incoming connection requests to Apache. Every time a user visits your website, it will be logged here. Each page a user requests will also be logged as a separate entry.
  • error.log stores information about errors that Apache encounters throughout its operation. Ideally, this file should remain relatively empty.
Apache default Log configuration on Ubuntu Linux server
Apache default Log configuration on Ubuntu Linux server
The location of the log files may depend on which version of Apache you are running and what Linux distribution it’s on. Apache can also be configured to store these files in some other non-default location.

But, by default, you should be able to find the access and error logs in one of these directories:
  • /var/log/apache/
  • /var/log/apache2/
  • /etc/httpd/logs/

SUBSCRIBE TO NEWSLETTER
Subscribe to Linux Career NEWSLETTER and receive latest Linux news, jobs, career advice and tutorials.


Apache log formatting

Apache allows you to customize what information is logged and how each log entry is presented, which we will cover later in this tutorial.

The usual format that Apache follows for presenting log entries is:
"%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\""
Here’s how to interpret this formatting:
  • %h – The IP address of the client.
  • %l – This is the ‘identd’ on the client, which is used to identify them. This field is usually empty, and presented as a hyphen.
  • %u – The user ID of the client, if HTTP authentication was used. If not, the log entry won’t show anything for this field.
  • %t – Timestamp of the log entry.
  • \%r\ – The request line from the client. This will show what HTTP method was used (such as GET or POST), what file was requested, and what HTTP protocol was used.
  • %>s – The status code that was returned to the client. Codes of 4xx (such as 404, page not found) indicate client errors and codes of 5xx (such as 500, internal server error) indicate server errors. Other numbers should indicate success (such as 200, OK) or something else like redirection (such as 301, permanently moved).
  • %O – The size of the file (including headers), in bytes, that was requested.
  • \"%{Referer}i\" – The referring link, if applicable. This tells you how the user navigated to your page (either from an internal or external link).
  • \"%{User-Agent}i\" – This contains information about the connecting client’s web browser and operating system.
A typical entry in the access log will look something like this:
10.10.220.3 - - [17/Dec/2019:23:05:32 -0500] "GET /products/index.php HTTP/1.1" 200 5015 "http://example.com/products/index.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.79 Safari/537.36"
The error log is a bit more straightforward and easy to interpret. Here’s what a typical entry may look like:
[Mon Dec 16 06:29:16.613789 2019] [php7:error] [pid 2095] [client 10.10.244.61:24145] script '/var/www/html/settings.php' not found or unable to stat
This is a good way to see how many 404 errors your visitors are encountering, and may clue you in to some dead links on your site. More importantly, it can alert you to missing resources or potential server problems. The example above shows a *.php page that was requested but missing.


Apache log configuration

Apache’s logging is highly customizable and can be adjusted from a couple configuration files. On Ubuntu and Debian, the main configuration file for Apache’s logging is located here:
  • /etc/apache2/apache2.conf
Since you can run multiple websites (referred to as Virtual Hosts) from a single Apache instance, you can also configure each of them to have separate access and error logs. To define how these separate log files should be named and where to save them, configure this file:
  • /etc/apache2/sites-available/000-default.conf
On CentOS, RHEL, and Fedora, the two configuration files are found, respectively, in these locations:
  • /etc/httpd/conf/httpd.conf
  • /etc/httpd/conf.d/ (place additional VirtualHost configurations in this directory)

Log directives

There are quite a few different directives that can be configured inside these files, but these are the main ones you should concern yourself with if you wish to customize Apache’s logging:
  • CustomLog – Defines where the access log file is stored.
  • ErrorLog – Defines where the error log file is stored.
  • LogLevel – Defines how severe an event must be in order to be logged (read below for more information).
  • LogFormat – Define how each entry in the access log should be formatted (read below for more information).
LogLevel is set to warn by default, which means that it will write to the error log on warning conditions or more serious events. If your error log is getting filled with loads of innocuous warning messages, you can bump it up to error which will only report errors or more serious problems.

Other options include (in order of severity) crit, alert, and emerg. Apache recommends using a level of at least crit. For debugging purposes, you can temporarily set LogLevel to debug, but be aware that you can end up with an unwieldy amount of entries in your error log.

LogFormat allows you to adjust what the entries inside the access log look like. If you find the example entry in access.log (from the Apache log formatting section above) to be a little confusing, you’re not alone. Apache allows you to customize the format of log entries, so you can set them up in a more logical way. You could also use this customization to exclude certain information that you may find irrelevant.


Apache logging modules

The logging configuration we’ve displayed in this guide so far pertains to the mod_log_config Apache module. To extend logging functionality even further, you can load other logging modules into Apache. This can provide some more capabilities that aren’t available with default settings.

mod_log_forensic begins logging before a request (when the headers are first received), and logs again after the request. That means two log entries are created for each request, allowing an administrator to measure response times with more precision.

Define the location of your forensic log with the CustomLog directive. For example:
CustomLog ${APACHE_LOG_DIR}/forensic.log forensic
mod_logio logs the number of bytes sent to and received from each request. It provides very accurate information because it also counts the data present in the header and body of each request, as well as the extra data that’s required for SSL/TLS encrypted connections.

Append the %I and O% placeholders to the LogFormat directive in order to make use of the extra data provided by this module. Other modules exist; these are just two of the most useful.

Conclusion

In this article we saw how to analyze and interpret the access and error logs of Apache. We also learned how to customize the logging in Apache’s configuration files to make the log data more relevant. Armed with this knowledge, you will be able to isolate problems more quickly and troubleshoot issues with Apache.

Remember that Apache’s logging functionality can be further extended through other logging modules, though this is only necessary in edge cases that require advanced debugging.
ARE YOU LOOKING FOR A LINUX JOB?
Submit your RESUME, create a JOB ALERT or subscribe to RSS feed on LinuxCareers.com.
LINUX CAREER NEWSLETTER
Subscribe to NEWSLETTER and receive latest news, jobs, career advice and tutorials.
DO YOU NEED ADDITIONAL HELP?
Get extra help by visiting our LINUX FORUM or simply use comments below.