This is a snippet from our httpd.conf file for how we have our Apache server configured to log transactions:
# The following directives define some format nicknames for use with
# a CustomLog directive (see below).
#
LogFormat "%{[%F %T %z]}t %h %u \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%{[%F %T %z]}t %h %u \"%r\" %>s %b %I %O %T" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent
|
Example access_log:
[2013-07-22 08:18:42 -0500] 10.20.202.111 - "PUT /service/inventory.php?KUID=1EC0E7FC-0FDE-46E6-B0D6-EDB6770588B1&VERSION=5.4.5315 HTTP/1.1" 200 526 312779 955 426
- %h = Remote hostname. Will log the IP address if HostnameLookups is set to Off, which is the default. If it logs the hostname for only a few hosts, you probably have access control directives mentioning them by name
- %u = Remote user if the request was authenticated. May be bogus if return status (%s) is 401 (unauthorized).
- %r = First line of request.
- It will always start with the HTTP method: http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html
- The GET method means retrieve whatever information I'm asking for
- The HEAD method is just asking for the HTTP header infomation.
- The POST and PUT method are kinda simliar in the sense that there is information being transferred to the server (typically).
- There are others too, but those are the ones that are usually of consequence in these logs when troubleshooting.
- %s = Status. For requests that have been internally redirected, this is the status of the original request. Use %>s for the final status.
- %b = Size of response in bytes, excluding HTTP headers. In CLF format, i.e. a '-' rather than a 0 when no bytes are sent.
- %I = Bytes received, including request and headers. Cannot be zero. You need to enable mod_logio to use this.
- %O = Bytes sent, including headers. Cannot be zero. You need to enable mod_logio to use this.
- %T = The time taken to serve the request, in seconds.
To to break down the example:
[2013-07-22 08:18:42 -0500] 10.20.202.111 - "PUT /service/inventory.php?KUID=1EC0E7FC-0FDE-46E6-B0D6-EDB6770588B1&VERSION=5.4.5315 HTTP/1.1" 200 526 312779 955 426
- [2013-07-22 08:18:42 -0500] = Date and time and offset of completed request
- 10.20.202.111 = IP of remote client
- "PUT /service/inventory.php?KUID=1EC0E7FC-0FDE-46E6-B0D6-EDB6770588B1&VERSION=5.4.5315 HTTP/1.1 = First line of HTTP request
- 200 = HTTP response code.
- 526 = Size of response in bytes
- 312779 = Bytes received
- 955 = Bytes sent
- 426 = Time take to complete transaction
References:
http://httpd.apache.org/docs/current/mod/mod_log_config.html
http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html