Format of Apache Log Files

The format of a log file is defined by the LogFormat directive in the Apache configuration file, which is typically either /etc/apache2/apache2.conf or /etc/httpd/conf/httpd.conf, depending on your Linux distribution. Here is an example:

LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined

This configuration line is split into three parts. First is the directive name. The second part is the format string that defines the structure of the log line. We'll come back to the format string definitions shortly. The last part is the name of the logging format.

You can define as many different logging line formats as you like, and then assign them to the logging file definitions as necessary. For example, you can add the following directive to a virtual host definition section, which instructs the Apache web server to write the log lines in the format described by the combined log format directive, into a log file called logs/access.log:

CustomLog logs/access.log combined

You can have multiple CustomLog directives, each with a different file name and the format directive.

■Note Refer to the official Apache documentation for more information about the log files. You can find it at

The format string that is used with the LogFormat configuration statement contains one or more directives that start with the % character. When a log line is written to the log file, the directives are replaced with the corresponding values. Table 6-1 lists some of the most commonly used directives.

Table 6-1. Commonly Used Log Format Directives




IP address of the remote host.


IP address of the local host.


The response size in bytes. HTTP header size is not included.


Same as %B, but the - sign is used instead of 0 if the response is empty.


The value of the cookie_name cookie.


The request processing time in microseconds.


The remote host.


The request protocol (HTTP 1.0, 1.1, etc.).


The contents of the HTTP request field. These are commonly used HTTP

request headers:

Referer: If present, identifies the referring URL

User-Agent: The string identifying the user client software

Via: List of the proxies through which the request was sent

Accept-Language: List of language codes accepted by the client

Content-Type: Request MIME content type


Remote logname from the remote identd process, if running. This is usually -,

unless the mod_ident module is installed. a


The request method (POST, GET, etc.).


The contents of the HTTP header variable in the response. See the %{}I

definition for more details.


The process ID of the Apache web server child that served the request.


The query string (only for GET requests), if it exists. The string is prepended

with the ? character.


The first line of the request. This usually includes the request method, the

request URL, and the protocol definition.


The status of the response, such as 404 or 200. This is the status of the original (!)

request. If there are any internal redirects configured, this will be different

from the final status that is sent back to the requestor.



%>s The last status of the request. In other words, this is what the client receives.

%t The timestamp of when the request was received. This is a standard English format, which looks like [ 20/May/2010:07:26:23 +0100]. You can modify the format. See the %{ format}t directive definition for details.

%{ format}t The timestamp as defined by the format string. The format is defined using the strftime directives.

%T The request serving time, in seconds.

%u The remote user if authenticating using the auth module.

%U The URL part of the request. The query string is not included.

aEven if both the remote process and the Apache module are present, I would not recommend relying on this information, as the identd protocol is considered insecure.

Was this article helpful?

0 0

Post a comment