Apache Log Management

I. Apache log type

1.apache log is divided into: Access log, error log

2. Level of log information

Degree of severity	Grade	Description
1	Emerg	System not available
2	Alert	A situation that requires immediate attention
3	Crit	Critical situation
4	Error	Error message
5	Warn	Warning message
6	Notice	A situation that requires attention
7	Info	General Information
8	Debug	Information that is output by programs running in debug mode

Description

If the user sets the error log to the warn level, all error messages that are critical by the message will be recorded

Two. Apache Access log

Format of Apache access log

Apache has built the ability to record server activity, which is its log function.

If Apache is installed by default, two log files will be generated when the server is running. These two files are Access_log and error_log. located under/var/log/httpd/; If the source code is used to compile the installation mode, it is located in/usr/local/apache/logs;

As its name implies, the access log Access_log records all Access activities to the Web server. The following is a typical record in the access log:

 192.168.254.191 - - [01/Sep/2014:14:06:49 +0000]  "get / http/1.1"  200 44  as can be seen from the record, the log is divided into 7 items, the above example has two gaps, but the overall is 7 first item:192.168.254.191  is the client's own IP second item:-  with a "-" Placeholder instead of   in fact, most of the time this is the case. This location is used to record the browser's identity, not just the user's login name, but the email address or other unique identifier of the person who browsed the browser. This information is returned by Identd, or directly by the browser. But basically now the browser has eliminated the third item of the feature:-Replace with a "-" placeholder. The first name that is actually used to record the visitor's authentication is the fourth:[01/sep/2014:14:06:49 +0000]   record access time. This information is enclosed in square brackets and is used in the so-called "public log Format" or "Standard English format". +0000 indicates the time zone in which the server is located and UTC is the fifth item: "get / http/1.1"    tells us what kind of request the server received, the typical format of this information is "method  Resource protocol "," Method   resources   Protocol "Sixth:200  represents the information status code. That is, the result of the user request is successful. 200 indicates that the server successfully responds to the browser's request. In general, however, a status code starting with 2 indicates success, and a status code starting with 3 indicates that the user request is redirected to a different location due to various reasons, a status code starting with 4 indicates that there is an error on the client, and a status code starting with 5 indicates that the server encountered an error.    Seventh:44  The total number of bytes sent to the client. It tells us whether the transmission is interrupted (that is, whether the value is the same as the size of the file). By adding these values to the log, you can tell how much data the server sends in a day, week, or month.   Summary: The log Name field represents the content:    1. Remote host, 2. Blank (e-mail), 3. Blank (login name), 4. Request time, 5. Method + Resource + protocol, 6. Status code, 7. Send bytes Configure access log

The decision to place the log is in the following statement in httpd.conf

Customlog "Logs/access_log" common

CUSTOMLOG specifies the exact location and format of the save log, which specifies the common log format (standard log format)

Note: For older Apache servers, this can be not customlog, but is specified with Transferlog

Three. Apache Error log

Error log contents and format

The error log records the various errors encountered during the server run, as well as some common diagnostic information. Content is generally divided into document errors and CGI errors, as well as some configuration file error and service opening and closing information

[Mon Sep 01 15:21:03 2014] [ERROR] [Client 192.168.254.191] File does not exist:/USR/LOCAL/HTTPD-2.2.9/HTDOCS/AA First: Date/Time tags, note that their format differs from the format of the date/time in Access_log. The format in Access_log is called "Standard English format" and the second item: the level of the current record, which indicates the severity of the problem. This level of information may be any of the levels listed in the documentation for the LOGLEVEL directive (see the previous loglevel link), and the error level is between the warn level and the crit level.  404 belongs to the error level, which indicates that a problem is actually encountered, but the server can also run.  The third item: represents the IP address used by the user when making the request. Fourth: The real error message. For a 404 error, it also gives the full path indicating the file the server is trying to access.

Position

The location of the error log is specified by the following statement in the httpd.conf file

Errorlog "Logs/error_log" Specifies the error log file location

LogLevel warn specifies the level at which the error log is logged

Four. Customization of Apache logs

Define the format of the access log

The format of the custom log file involves two instructions, the Logformat directive and the Customlog directive, and the default httpd.conf file provides several examples of these two instructions.

The LOGFORMAT directive defines the format and assigns a name to the format, and we can refer to that name directly later. The customlog instruction sets the log file and indicates the format in which the log file is used (usually by the name of the format).

Logformat "%h%l%u%t \"%r\ "%>s%b" common

Customlog "Logs/access_log" common

The LOGFORMAT directive creates a log format called "Common", in which each string in the middle of the quotation box defines the format of the log, which represents the specific information that is written to the log file in the order specified by the format string.

Common format string variables

%...a:      Remote IP address    % ... a:      local IP address    % ... b:      bytes sent, not including HTTP headers    %...b:      The number of bytes sent in the CLF format, with no HTTP headers.               For example, when no data is sent, write '-' instead of 0.    % ... {foobar}e:  environment variable FOOBAR content    %...f:      file name    %...h :      Remote host    % ... h       Requested protocol    % ... {Foobar}i: foobar content, the header line of the request sent to the server.    %...l:      telnet name (from Identd, if provided)    %...m        method of Request    % ... {foobar}n:  the contents of the note "Foobar" from another module    % ... {Foobar}o: foobar contents, header line of the answer    %...p:      port used when the server responds to the request     % ... P:      the child process ID of the response request.    %...q       query string (contains "?" if a query string exists) The following               part; otherwise, it is an empty string. )    %...r:      first line of the request    %...s:       status. For internal redirection requests, this refers to the status of the original request              . If you use%...>s, you refer to a later request.    %...t:      time in public log time format (or Standard English format)    % ... {format}t:  the time    % in the specified format. t:      time spent in response to requests, in seconds    %...u:      Remote user (from Auth; if the return status (%s) is 401, it could be forged)    % ... u:      URL path requested by user    %...v:      servername   % of the server responding to the request ... v:      the server name   "%{referer}i" according to the Usecanonicalname setting indicates which page the request wasHanded over. "%{user-agent}i"  --This is a browser-aware information provided by the customer's browser

In all the variables listed above, "..." represents an optional condition. If no condition is specified, the value of the variable is replaced with "-". Analyzing the example of the logformat instruction from the default httpd.conf file earlier, you can see that it creates a log format called "Common", which includes: remote host, Telnet name, remote user, request time, first line of request, request status, and number of bytes sent.

Sometimes we just want to record some specific, defined information in the log, and then we need to use "...". If you put one or more HTTP status codes between "%" and a variable, the content represented by the variable is logged only if the status code returned by the request belongs to one of the specified status codes. For example, if we want to record all the invalid links for a site, you can use:

Logformat%404{referer}i Brokenlinks

Conversely, if we want to record the request that the status code does not equal the specified value, simply add a "!" Symbols can:

Logformat%!200u Somethingwrong

Example

Logformat "%h%l%u%t \"%r\ "%>s%b \"%{referer}i\ "\"%{user-agent}i\ "" combined

Customlog "Log/access_log" combined

This format is similar to the common log format, but there are two more%{header}i entries, where the header can be any request header. This format is recorded in the form of:

127.0.0.1-frank [10/oct/2000:13:55:36-0700] "Get/apache_pb.gif http/1.0" 2326 "mozilla/4.08 [en] (Win98; I; NAV) "

Among them, the extra items are:

"Http://www.example.com/start.html" (\ "%{referer}i\")

"Referer" request header. This entry indicates which Web page the request was submitted from, and the page should contain/apache_pb.gif or its connection.

"mozilla/4.08 [en] (Win98; I; NAV) "(\"%{user-agent}i\ ")

"User-agent" request header. This is the browser-aware information provided by the client

Five. Apache Log polling

What is log polling?

By default, Apache logs are written to a file, which makes backup and analysis of the logs inconvenient. Log polling is the ability to separate Apache logs based on time, such as polling by day: that is, Apache writes the log of the day to a separate file.

Download and install the log polling tool

wget http://cronolog.org/download/cronolog-1.6.2.tar.gztar zxf cronolog-1.6.2.tar.gz cd cronolog-1.6.2./configure Make make Install

Configure polling

<virtualhost *:80>

DocumentRoot "/usr/local/httpd-2.2.9/htdocs/sr1/"

ServerName www.sr1.com

Serveralias www.sr1.com

Errorlog "Logs/www.sr1.com_error_log"

# customlog "Logs/www.sr1.com_access_log" Jie

Customlog "|/usr/local/sbin/cronolog/usr/local/httpd/logs/sr1_%y%m%d_access_log" Jie

</VirtualHost>

Note the log file to write absolute path

%Y%M%D is polling by day

%y%m%d%h is polling by the hour

View results: You can find that the logs SR1 under logs are created by day

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/57/22/wKioL1SSjVGQrPN0AAGmdO-54jI859.jpg "title=" 1.png " alt= "Wkiol1ssjvgqrpn0aagmdo-54ji859.jpg"/>

This article is from the "Study-everyday" blog, make sure to keep this source http://studys.blog.51cto.com/9736817/1591434

Apache Log Management