Web server logs all traffic to a log file. There are various formats and this page will help you understand the log formats that are used. The most popular logging formats are the NCSA (Common or Combined) used mostly by Apache and the W3C standard used by IIS. These formats will be explain in more detail below.
APACHE LOG FILES
One of the many pieces of the Website puzzle is Web logs. Traffic analysis is central to most Websites, and the key to getting the most out of your traffic analysis revolves around how you configure your Web logs. Apache is one of the most, if not the most powerful open source solutions for Website operations. You will find that Apache’s Web logging features are flexible for the single Website or for managing numerous domains requiring Web log analysis. For the single site, Apache is pretty much configured for logging in the default install. The initial httpd.conf file (found in /etc/httpd/conf/httpd.conf in most cases) should have a section on logs that looks similar to this (Apache 2.0.x), with descriptive comments for each item. Your default logs folder will be found in /etc/httpd/logs . This location can be changed when dealing with multiple Websites, as we’ll see later. For now, let’s review this section of log configuration.
ErrorLog logs/error_log LogLevel warn LogFormat "%h %l %u %t "%r" %>s %b "%{Referer}i" "%{User-Agent}i"" combined LogFormat "%h %l %u %t "%r" %>s %b" common LogFormat "%{Referer}i -> %U" referer LogFormat "%{User-agent}i" agent CustomLog logs/access_log combined
Error Logs
The error log contains messages sent from Apache for errors encountered during the course of operation. This log is very useful for troubleshooting Apache issues on the server side. Apache Log Tip: If you are monitoring errors or testing your server, you can use the command line to interactively watch log entries. Open a shell session and type “tail ?f /path/to/error_log” . This will show you the last few entries in the file and also continue to show new entries as they occur. There are no real customization options available, other than telling Apache where to establish the file, and what level of error logging you seek to capture. First, let’s look at the error log configuration code from httpd.conf.
ErrorLog logs/error_log
You may wish to store all error-related information in one error log. If so, the above is fine, even for multiple domains. However, you can specify an error log file for each individual domain you have. This is done in the container with an entry like this:
<VirtualHost 10.0.0.2> DocumentRoot "/home/sites/domain1/html/" ServerName domain1.com ErrorLog /home/sites/domain1/logs/error.log </VirtualHost>
If you are responsible for reviewing error log files as a server administrator, it is recommended that you maintain a single error log. If you’re hosting for clients, and they are responsible for monitoring the error logs, it’s more convenient to specify individual error logs they can access at their own convenience.
Apache’s definitions for their error log levels are as follows:
Level | Description |
---|---|
Emerg | Emergencies – system is unusable |
Alert | Action must be taken immediately |
Crit | Critical Conditions |
Error | Error conditions |
Warn | Warning Conditions |
Notice | Normal but significant condition |
Info | Information |
Debug | Debug-level messages |
Tracking Website Activity – Access Logs
Often by default, Apache will generate a log file called access. This tracks the accesses to your Website, the browsers being used to access the site and referring urls that your site visitors have arrived from. It is commonplace now to utilize Apache’s “combined” log format, which compiles all three of these logs into one logfile. This is very convenient when using traffic analysis software as a majority of these third-party programs are easiest to configure and schedule when only dealing with one log file per domain. Let’s break down the code in the combined log format and see what it all means.
LogFormat "%h %l %u %t "%r" %>s %b "%{Referer}i" "%{User-Agent}i"" combined
LogFormat starts the line and simply tells Apache you are defining a log file type (or nickname), in this case, combined. Now let’s look at the cryptic symbols that make up this log file definition.
Symbol | Description |
---|---|
%h | IP Address of client (remote host) |
%l | Identd of client (normally unavailable) |
%u | User id of user requesting object |
%t | Time of request |
%r | Full request string |
%>s | Status code |
%b | Size of request (excluding headers) |
%{Referer}i | The previous webpage |
%{User-agent}i | The Client’s browser |
To review all of the available configuration codes for generating a custom log, see Apache’s docs on the module_log_config , which powers log files in Apache.
Apache Log Tip: You could capture more from the HTTP header if you so desired. A full listing and definition of data in the header is found at the World Wide Web Consortium. http Logs Viewer supports a number of log formats and directives and these can be found here.
For a single Website, the default entry would suffice:
CustomLog logs/access_log combined
However, for logging multiple sites, you have a few options. The most common is to identify individual log files for each domain. This is seen in the example below, again using the log directive within the container for each domain.
<VirtualHost 10.0.0.2> DocumentRoot "/home/sites/domain1/html/" ServerName domain1.com ErrorLog /home/sites/domain1/logs/error.log CustomLog /home/sites/domain1/logs/web.log </VirtualHost <VirtualHost 10.0.0.3> DocumentRoot "/home/sites/domain2/html/" ServerName domain2.com ErrorLog /home/sites/domain2/logs/error.log CustomLog /home/sites/domain2/logs/web.log </VirtualHost> <VirtualHost 10.0.0.4> DocumentRoot "/home/sites/domain3/html/" ServerName domain3.com ErrorLog /home/sites/domain3/logs/error.log CustomLog /home/sites/domain3/logs/web.log </VirtualHost>
In the above example, we have three domains with three unique Web logs (using the combined format we defined earlier). A traffic analysis package could then be scheduled to process these logs and generate reports for each domain independently.
IIS LOG FILES
IIS uses different formats to create log files. The most common two are NCSA and W3C standard.
NCSA
This format is identical to the Apache Common log format. You can treat such a log file similar to how you would treat an apache log file.
W3C
The field definitions of the W3C logging format are shown below. Some Fields start with a prefix which explain which host (client/server/proxy) the field refers to.
Prefix | Description |
---|---|
c | Client |
s | Server |
r | Remote |
cs | Client to Server. |
sc | Server to Client. |
sr | Server to Remote Server (used by proxies) |
rs | Remote Server to Server (used by proxies) |
Field Defenition | Description |
---|---|
date | Date at which transaction completed |
time | Time at which transaction completed |
time-taken | Time taken for transaction to complete in seconds |
bytes | bytes transferred |
cached | Records whether a cache hit occurred |
ip | IP address and port |
dns | DNS name |
status | Status code |
comment | Comment returned with status code |
method | Method |
uri | URI |
uri-stem | Stem portion alone of URI (omitting query) |
uri-query | Query portion alone of URI |
A sample W3C log file is shown below:
#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status time-taken 2009-12-30 13:45:03 192.168.88.2 GET /default.aspx - 80 - 192.168.1.5 Mozilla/5.0+(Windows;+U;+Windows+NT+6.1;+en-US;+rv:1.9.1.6)+Gecko/20091201+Firefox/3.5.6+GTB6 200 0 0 3057