Apache log records, records for later check, part excerpt from Apache Chinese manual, translation Jin Bu
A typical record format is as follows:
LogFormat "%h %l %u %t \"%r\" %>s %b" common
CustomLog logs/access_log common
It defines a particular record format string and gives it an alias common
, where the "%" indicates that the server is replaced with some information, while the other characters are not replaced. quotation marks ( "
) must be escaped with a backslash to avoid being interpreted as the end of the string. The format string can also contain special controls, such as line break " \n
", "tab" \t
.
CustomLog
Directive establishes a new log file that uses the specified alias , unless its file name is an absolute path that begins with a slash, or its path is relative to ServerRoot
the relative path.
The above configuration is a record format known as the Common Log format (CLF), which is used by many different Web servers and is recognized by many log analysis programs, resulting in a record shape such as:
127.0.0.1 - frank [10/Oct/2000:13:55:36 -0700] "GET /apache_pb.gif HTTP/1.0" 200 2326
The sections of the record are described below:
127.0.0.1
( %h
) sends a request to the server's client address IP, which is the proxy IP address if the client uses a proxy
-
( %l
) This is the RFC1413 identity (identity) that is determined by the client identd
process, and the symbol "-" in the output indicates that the information here is invalid. This information is often unreliable and should not be used unless it is in a tightly controlled internal network. IdentityCheck
On
Apache will try to get this information only when the command is set to
frank
( %u
) This is the client ID (userid) that the HTTP authentication system gets to access the page, REMOTE_USER
and the environment variable is set to that value and provided to the CGI script. If the status code is 401, indicating that the customer did not pass the authentication, this value is meaningless. If the page does not have password protection set, this entry will be " -
".
[10/Oct/2000:13:55:36 -0700]
( %t
) This is the time when the server completes the request processing, in the format:[日/月/年:时:分:秒 时区],可以在格式字符串中使用 %{format}t
来改变时间的输出形式
"GET /apache_pb.gif HTTP/1.0"
( \"%r\"
) in quotation marks is a request line from a client that contains a lot of useful information. As can be seen, the action of the customer is GET
that the requested resource is /apache_pb.gif
, the protocol used is HTTP/1.0
. In addition, other information can be recorded, such as: The format string " %m %U%q %H
" will record the action, path, query string, protocol, its output and " %r
".
200
( %>s
) This is the status code returned to the client by the server
2326
( %b
) This last item is the number of bytes returned to the client that do not include the response header. If no information is returned, the entry should be " -
" and should be used if you want to record as " 0
" %B
.
Combined log format (Combined log formats)
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" combined
CustomLog log/access_log combined
This format is similar to the common log format, but there are two more %{header}i
items, the header of which can be any request header. This format is recorded in the form of:
127.0.0.1 - frank [10/Oct/2000:13:55:36 -0700] "GET /apache_pb.gif HTTP/1.0" 200 2326 "http://www.example.com/start.html" "Mozilla/4.08 [en] (Win98; I ;Nav)"
Among them, the extra items are:
-
-
"http://www.example.com/start.html"
(
\"%{Referer}i\"
)
-
-
"Referer" request header. This entry indicates the page from which the request was submitted, and the page should contain
/apache_pb.gif
or be connected.
-
-
"Mozilla/4.08 [en] (Win98; I ;Nav)"
(
\"%{User-agent}i\"
)
-
-
"User-agent" request header. This is the browser-aware information provided by the client.
-
-
-
-
log scrolling and pipeline logs
-
-
even if a server is not busy, its log files can be very informative, typically every 10,000 requests, the access log will increase by 1MB or more. This is necessary to periodically scroll the log files. Because Apache keeps the log file open and continues to write information, scrolling cannot be performed during the server's operation. After you move or delete a log file, you must restart the server for it to open a new log file
-
-
Apache httpd can pass access logs and error messages to another process through a pipeline, rather than writing to a file, which significantly increases the flexibility of the log because it does not require programming of the primary server. As long as the pipe operator "" followed by |
an executable file name, you can make this program from the standard input device to obtain event records. Apache starts the pipeline log process at the same time, and during the run, if the process crashes, it restarts the process (so we call this technology "reliable pipeline logs").
The pipeline log process is generated by the Apache HTTPD of its parent process and inherits its permissions, which means that the pipeline process is usually run as root, so it is important to keep the program simple and secure.
An important use of the pipeline log is to allow the log to scroll without restarting the server. To do this, the server provides a simple programrotatelogs
CustomLog "|bin/rotatelogs /var/logs/logfile 86400" common
This configuration establishes the file "/var/logs/logfile.nnnn", where the nnnn is the system time at which the nominal log is started (this time is always a multiple of the scrolling time and can be used for synchronization with cron scripts). When the scrolling time arrives (in this case, after 24 hours), a new log is generated.
CustomLog "|bin/rotatelogs /var/logs/logfile 5M" common
This configuration scrolls the log file size when it grows to 5 megabytes
ErrorLog "|bin/rotatelogs /var/logs/errorlog.%Y-%m-%d-%H_%M_%S.log 5M"
This configuration scrolls the log when the error log size grows to 5 megabytes, and the log file name suffix is created in the following format:errorlog.YYYY-mm-dd-HH_MM_SS
Apache Scroll Log configuration