Access logs that record information about visitors to the site. In some special cases, we can extract the information we need through the access log. such as: The site was attacked when the source, statistical access to the user large data distribution.
First, the website access log
1. Access Log Configuration
[Email protected] ~]# vi/usr/local/apache2.4/conf/extra/httpd-vhosts.conf<virtualhost *:80> DocumentRoot "/ Data/www/abc.com "ServerName abc.com serveralias www.abc.com <ifmodule mod_rewrite.c> rewriteengine On Rewritecond%{http_host}!^abc.com$ rewriterule ^/(. *) $ http://abc.com/$1 [r=301,l] </IfModule> Errorlog "Logs/abc.com-error_log" # #错误日志 Customlog "Logs/abc.com-access_log" Common # #请求日志 </ Virtualhost>
2. View the Access log
[Email protected] ~]# Ls/usr/local/apache2.4/logs/123.com-access_log abc.com-access_log access_log Httpd.pid123.com-error_log abc.com-error_log error_log[[email protected] ~]# tail/usr/local/apache2.4/logs/ Abc.com-access_log 192.168.137.100--[21/jul/2017:11:38:13 +0800] "GET HTTP://abc.com/HTTP/1.1" 403 209192.168.137.100--[21/jul/2017:12:00:52 +0800] "GET HTTP://abc.com/HTTP/1.1" 7192.168.137.100--[21/jul/2017:1 2:00:57 +0800] "Get HTTP://www.abc.com/HTTP/1.1" 7192.168.137.100--[21/jul/2017:12:01:06 +0800] "Get HTTP://ABCD.C om/http/1.1 "200 7
▏ Log Format:
[Email protected] ~]# cat/usr/local/apache2.4/conf/httpd.conf | Grep-i logformat Logformat "%h%l%u%t \"%r\ "%>s%b \"%{referer}i\ "\"%{user-agent}i\ "" Combined Logformat "%h %l%u%t \ "%r\"%>s%b "common
3, change common to combined, show more detailed log format
[[email protected] ~]# tail /usr/local/apache2.4/logs/abc.com-access_log 192.168.137.100 - - [21/jul/2017:11:38:13 +0800] "get http://abc.com/ http/ 1.1 " 403 209192.168.137.100 - - [21/Jul/2017:12:00:52 +0800] " get http ://abc.com/ http/1.1 " 200 7192.168.137.100 - - [21/jul/2017:12:00:57 +0800] "get http://www.abc.com/ http/1.1" 200 7192.168.137.100 - - [21/jul/ 2017:12:01:06 +0800] "get http://abcd.com/ http/1.1" 200 7192.168.137.1 - - [21/Jul/2017:18:07:04 +0800] "get /favicon.ico http/1.1" 404 209 "-" "mozilla/5.0 (WINDOWS&NBSP;NT&NBSP;10.0;&NBSP;WOW64) AppleWebKit/537.36 (khtml, like gecko) chrome/45.0.2454.101 safari/537.36 "192.168.137.1 - - [21/jul/ 2017:18:07:06 +0800] " get / http/1.1 " 200 7 "-" " mozilla/4.0 (compatible; msie 7.0; windows nt 10.0; wow64; trident/8.0; . net4.0c; . net4.0e) "192.168.137.1 - - [21/jul/2017:18:07:22 +0800] " GET /1.txt HTTP/ 1.1 " 404 203 "-" " mozilla/4.0 (compatible; msie 7.0; windows nt 10.0; wow64; trident/8.0; . net4.0c; . NET4.0E) "
By default, the log log format is:
Logformat "%h%l%u%t \"%r\ "%>s%b \"%{referer}i\ "\"%{user-agent}i\ "" combined
Where%h is the IP of the record visitor, if there is a layer of proxy in the front of the web, then this%h is actually the IP of the proxy machine, this is not what we want.
In this case, the%{x-forwarded-for}i field records the client's real IP.
▏ so log logs should read:
Logformat "%h%{x-forwarded-for}i%l%u%t \"%r\ "%>s%b \"%{referer}i\ "\"%{user-agent}i\ "" combined
Second, do not record static files
Access log records of a large number of garbage static files (slices, CSS, JS, etc.) access information, affecting operational efficiency.
1. Configure the virtual host
[[email protected] ~]# vi /usr/local/apache2.4/conf/extra/httpd-vhosts.conf < virtualhost *:80> documentroot "/data/www/abc.com" Servername abc.com serveralias www.abc.com errorlog "Logs/abc.com-error_log" SetEnvIf Request_URI ". *\.gif$" img SetEnvIf Request_URI ". *\.jpg$" img SetEnvIf request_uri ". *\.png$" img SetEnvIf Request_URI ". *\.bmp$" img SetEnvIf Request_URI ". *\.swf$" img setenvif Request_URI ". *\.js$" img SetEnvIf Request_URI ". *\.css$" img # #把以gif, JPG, etc. end of all marked img customlog "Logs/abc.com-access_ Log " combined env=!img # #除了img文件, all records </VirtualHost>
2. Check Reload
[Email protected] ~]#/usr/local/apache2.4/bin/apachectl-tsyntax ok[[email protected] ~]#/usr/local/apache2.4/bin/ Apachectl Graceful
3. Verification effect
[[email protected] ~]# curl -x127.0.0.1:80 abcd.com/123.php -ihttp/1.1 404 not founddate: fri, 21 jul 2017 10:20:04 gmtserver: apache/ 2.4.27 (Unix) php/7.1.6content-type: text/html; charset=iso-8859-1[[email protected] ~]# curl -x127.0.0.1:80 abcd.com/123.gif -ihttp/1.1 404 not founddate : fri, 21 jul 2017 10:20:10 gmtserver: apache/2.4.27 (Unix) PHP/ 7.1.6content-type: text/html; charset=iso-8859-1[[email protected] ~]# curl - x127.0.0.1:80 abcd.com/123.png -ihttp/1.1 404 not founddate: fri, 21 jul 2017 10:20:17 gmtserver: apache/2.4.27 (Unix) PHP/7.1.6Content-Type: text/html; charset=iso-8859-1[[email protected] ~]# tail /usr/local/apache2.4/logs/ Abc.com-access_log 192.168.137.100 - - [21/jul/2017:11:38:13 +0800] "get http://abc.com/ http/ 1.1 " 403 209192.168.137.100 - - [21/Jul/2017:12:00:52 +0800] " get http ://abc.com/ http/1.1 " 200 7192.168.137.100 - - [21/jul/2017:12:00:57 +0800] "get http://www.abc.com/ http/1.1" 200 7192.168.137.100 - - [21/jul/ 2017:12:01:06 +0800] "get http://abcd.com/ http/1.1" 200 7192.168.137.1 - - [21/Jul/2017:18:07:04 +0800] "get /favicon.ico http/1.1" 404 209 "-" "mozilla/5.0 (WINDOWS&NBSP;NT&NBSP;10.0;&NBSP;WOW64) AppleWebKit/537.36 (khtml, like gecko) chrome/45.0.2454.101 safari/537.36 "192.168.137.1 - - [21/jul/ 2017:18:07:06 +0800] "get / http/1.1" 200 7 "-" "mozilla/4.0 ( Compatible; msie 7.0; windows nt 10.0; wow64; trident/8.0; . net4.0c; . net4.0e) "192.168.137.1 - - [21/jul/2017:18:07:22 +0800] " GET /1.txt HTTP/ 1.1 " 404 203 "-" " mozilla/4.0 (compatible; msie 7.0; windows nt 10.0; wow64; trident/8.0; . net4.0c; . net4.0e) "127.0.0.1 - - [21/jul/2017:18:20:04 +0800] " HEAD HTTP://abcd.com/123. php http/1.1 " 404 - "-" " curl/7.29.0 " # #可以看到过滤后的效果了
Third, access log cutting
The site is accessed every day and logs a large amount of log information. A single large log file is not convenient for operators to view, and it is not easy to clean up overdue logs. Cutting logs can be a good solution to this problem.
1. Configure the virtual host
[Email protected] ~]# cat/usr/local/apache2.4/conf/extra/httpd-vhosts.conf | Grep-i customlog customlog "|/usr/local/apache2.4/bin/rotatelogs-l logs/abc.com-access_%y%m%d.log 86400" combined en V=!IMG # #工具名为: rotatelogs;-l: Base on current system time
2. Check Reload
[Email protected] ~]#/usr/local/apache2.4/bin/apachectl-tsyntax ok[[email protected] ~]#/usr/local/apache2.4/bin/ Apachectl Graceful
3. Test results
[Email protected] ~]# curl-x127.0.0.1:80 abcd.com/123.php-ihttp/1.1 404 Not Founddate:fri, Jul 10:32:07 gmtser ver:apache/2.4.27 (Unix) php/7.1.6content-type:text/html; Charset=iso-8859-1[[email protected] ~]# ls/usr/local/apache2.4/logs/123.com-access_log abc.com-access_20170721. Log abc.com-error_log error_log123.com-error_log abc.com-access_log access_log httpd.pid
You can see that a new log file has been generated, and you can later make a task schedule to delete outdated log files in case of insufficient disk space.
This article is from the "Gorilla grodd" blog, be sure to keep this source http://juispan.blog.51cto.com/943137/1952820
Lamp-apache Access Log