Lamp-apache Access Log

Access logs that record information about visitors to the site. In some special cases, we can extract the information we need through the access log. such as: The site was attacked when the source, statistical access to the user large data distribution.

First, the website access log

1. Access Log Configuration

[Email protected] ~]# vi/usr/local/apache2.4/conf/extra/httpd-vhosts.conf<virtualhost *:80> DocumentRoot "/ Data/www/abc.com "ServerName abc.com serveralias www.abc.com <ifmodule mod_rewrite.c> rewriteengine    On Rewritecond%{http_host}!^abc.com$ rewriterule ^/(. *) $ http://abc.com/$1 [r=301,l] </IfModule> Errorlog "Logs/abc.com-error_log" # #错误日志 Customlog "Logs/abc.com-access_log" Common # #请求日志 </ Virtualhost>

2. View the Access log

[Email protected] ~]# Ls/usr/local/apache2.4/logs/123.com-access_log abc.com-access_log access_log Httpd.pid123.com-error_log abc.com-error_log error_log[[email protected] ~]# tail/usr/local/apache2.4/logs/ Abc.com-access_log 192.168.137.100--[21/jul/2017:11:38:13 +0800] "GET HTTP://abc.com/HTTP/1.1" 403 209192.168.137.100--[21/jul/2017:12:00:52 +0800] "GET HTTP://abc.com/HTTP/1.1" 7192.168.137.100--[21/jul/2017:1 2:00:57 +0800] "Get HTTP://www.abc.com/HTTP/1.1" 7192.168.137.100--[21/jul/2017:12:01:06 +0800] "Get HTTP://ABCD.C om/http/1.1 "200 7

▏ Log Format:

[Email protected] ~]# cat/usr/local/apache2.4/conf/httpd.conf |  Grep-i logformat Logformat "%h%l%u%t \"%r\ "%>s%b \"%{referer}i\ "\"%{user-agent}i\ "" Combined Logformat "%h %l%u%t \ "%r\"%>s%b "common

3, change common to combined, show more detailed log format

[[email protected] ~]# tail /usr/local/apache2.4/logs/abc.com-access_log  192.168.137.100 - - [21/jul/2017:11:38:13 +0800]  "get http://abc.com/ http/ 1.1 " 403 209192.168.137.100 - - [21/Jul/2017:12:00:52 +0800] " get http ://abc.com/ http/1.1 " 200 7192.168.137.100 - - [21/jul/2017:12:00:57 +0800]   "get http://www.abc.com/ http/1.1"  200 7192.168.137.100 - - [21/jul/ 2017:12:01:06 +0800]  "get http://abcd.com/ http/1.1"  200 7192.168.137.1 -  - [21/Jul/2017:18:07:04 +0800]  "get /favicon.ico http/1.1"  404 209   "-"   "mozilla/5.0  (WINDOWS NT 10.0; WOW64)  AppleWebKit/537.36  (khtml,  like gecko)  chrome/45.0.2454.101 safari/537.36 "192.168.137.1 - - [21/jul/ 2017:18:07:06 +0800] " get / http/1.1 " 200 7 "-" " mozilla/4.0  (compatible; msie 7.0;  windows nt 10.0; wow64; trident/8.0; . net4.0c; . net4.0e) "192.168.137.1 - - [21/jul/2017:18:07:22 +0800] " GET /1.txt HTTP/ 1.1 " 404 203 "-" " mozilla/4.0  (compatible; msie 7.0; windows nt  10.0; wow64; trident/8.0; . net4.0c; . NET4.0E) "

By default, the log log format is:

Logformat "%h%l%u%t \"%r\ "%>s%b \"%{referer}i\ "\"%{user-agent}i\ "" combined

Where%h is the IP of the record visitor, if there is a layer of proxy in the front of the web, then this%h is actually the IP of the proxy machine, this is not what we want.

In this case, the%{x-forwarded-for}i field records the client's real IP.

▏ so log logs should read:

Logformat "%h%{x-forwarded-for}i%l%u%t \"%r\ "%>s%b \"%{referer}i\ "\"%{user-agent}i\ "" combined

Second, do not record static files

Access log records of a large number of garbage static files (slices, CSS, JS, etc.) access information, affecting operational efficiency.

1. Configure the virtual host

[[email protected] ~]# vi /usr/local/apache2.4/conf/extra/httpd-vhosts.conf < virtualhost *:80>    documentroot  "/data/www/abc.com"      Servername abc.com    serveralias www.abc.com    errorlog   "Logs/abc.com-error_log"     SetEnvIf Request_URI  ". *\.gif$"  img     SetEnvIf Request_URI  ". *\.jpg$"  img    SetEnvIf  request_uri  ". *\.png$"  img    SetEnvIf Request_URI  ". *\.bmp$"  img     SetEnvIf Request_URI  ". *\.swf$"  img    setenvif  Request_URI  ". *\.js$"  img    SetEnvIf Request_URI  ". *\.css$"  img   # #把以gif, JPG, etc. end of all marked img    customlog  "Logs/abc.com-access_ Log " combined env=!img # #除了img文件, all records </VirtualHost> 

2. Check Reload

[Email protected] ~]#/usr/local/apache2.4/bin/apachectl-tsyntax ok[[email protected] ~]#/usr/local/apache2.4/bin/ Apachectl Graceful

3. Verification effect

[[email protected] ~]# curl -x127.0.0.1:80 abcd.com/123.php -ihttp/1.1 404  not founddate: fri, 21 jul 2017 10:20:04 gmtserver: apache/ 2.4.27  (Unix)  php/7.1.6content-type: text/html; charset=iso-8859-1[[email protected]  ~]# curl -x127.0.0.1:80 abcd.com/123.gif -ihttp/1.1 404 not founddate : fri, 21 jul 2017 10:20:10 gmtserver: apache/2.4.27  (Unix)  PHP/ 7.1.6content-type: text/html; charset=iso-8859-1[[email protected] ~]# curl - x127.0.0.1:80 abcd.com/123.png -ihttp/1.1 404 not founddate: fri, 21  jul 2017 10:20:17 gmtserver: apache/2.4.27  (Unix)  PHP/7.1.6Content-Type:  text/html; charset=iso-8859-1[[email protected] ~]# tail /usr/local/apache2.4/logs/ Abc.com-access_log 192.168.137.100 - - [21/jul/2017:11:38:13 +0800]  "get http://abc.com/ http/ 1.1 " 403 209192.168.137.100 - - [21/Jul/2017:12:00:52 +0800] " get http ://abc.com/ http/1.1 " 200 7192.168.137.100 - - [21/jul/2017:12:00:57 +0800]   "get http://www.abc.com/ http/1.1"  200 7192.168.137.100 - - [21/jul/ 2017:12:01:06 +0800]  "get http://abcd.com/ http/1.1"  200 7192.168.137.1 -  - [21/Jul/2017:18:07:04 +0800]  "get /favicon.ico http/1.1"  404 209   "-"   "mozilla/5.0  (WINDOWS NT 10.0; WOW64)  AppleWebKit/537.36  (khtml,  like gecko)  chrome/45.0.2454.101 safari/537.36 "192.168.137.1 - - [21/jul/ 2017:18:07:06 +0800]  "get / http/1.1"  200 7  "-"   "mozilla/4.0  ( Compatible; msie 7.0; windows nt 10.0; wow64; trident/8.0; . net4.0c; . net4.0e) "192.168.137.1 - - [21/jul/2017:18:07:22 +0800] " GET /1.txt HTTP/ 1.1 " 404 203 "-" " mozilla/4.0  (compatible; msie 7.0; windows nt  10.0; wow64; trident/8.0; . net4.0c; . net4.0e) "127.0.0.1 - - [21/jul/2017:18:20:04 +0800] " HEAD HTTP://abcd.com/123. php http/1.1 " 404 - "-" " curl/7.29.0 "   # #可以看到过滤后的效果了

Third, access log cutting

The site is accessed every day and logs a large amount of log information. A single large log file is not convenient for operators to view, and it is not easy to clean up overdue logs. Cutting logs can be a good solution to this problem.

1. Configure the virtual host

[Email protected] ~]# cat/usr/local/apache2.4/conf/extra/httpd-vhosts.conf | Grep-i customlog customlog "|/usr/local/apache2.4/bin/rotatelogs-l logs/abc.com-access_%y%m%d.log 86400" combined en V=!IMG # #工具名为: rotatelogs;-l: Base on current system time

2. Check Reload

[Email protected] ~]#/usr/local/apache2.4/bin/apachectl-tsyntax ok[[email protected] ~]#/usr/local/apache2.4/bin/ Apachectl Graceful

3. Test results

[Email protected] ~]# curl-x127.0.0.1:80 abcd.com/123.php-ihttp/1.1 404 Not Founddate:fri, Jul 10:32:07 gmtser ver:apache/2.4.27 (Unix) php/7.1.6content-type:text/html; Charset=iso-8859-1[[email protected] ~]# ls/usr/local/apache2.4/logs/123.com-access_log abc.com-access_20170721. Log abc.com-error_log error_log123.com-error_log abc.com-access_log access_log httpd.pid

You can see that a new log file has been generated, and you can later make a task schedule to delete outdated log files in case of insufficient disk space.

This article is from the "Gorilla grodd" blog, be sure to keep this source http://juispan.blog.51cto.com/943137/1952820

Lamp-apache Access Log