How to View and Configure Apache Access & Error Logs
At the time of writing, the Apache HTTP server is used by 30.8% of all web servers in operation. If you’re responsible for managing any system that utilizes Apache, then you will surely interact with its logging infrastructure on a regular basis. This tutorial will introduce you to logging in Apache and how it can help you diagnose, troubleshoot, and quickly resolve any problem you may encounter on your server.
You will learn where logs are stored, how to access them, and how to customize the log output and location to fit your needs. You will also learn how to centralize Apache logs in a log management system for easier tracing, searching, and filtering of logs across your entire stack.
🔭 Want to centralize and monitor your Apache logs?
Head over to Logtail and start ingesting your logs in 5 minutes.
Prerequisites
To follow through with this tutorial, you should set up a Linux server that includes a non-root user with sudo privileges. Additionally, you also need the Apache HTTP server installed and enabled on the server, which can be done by executing the relevant commands below.
On Debian-based distributions like Ubuntu:
sudo systemctl enable apache2 sudo systemctl start apache2 sudo systemctl enable httpd sudo systemctl start httpd Please note that the rest of the commands, directory configurations, and conventions used in this tutorial pertain to Debian-based distributions like Ubuntu. Still, the concepts remain the same for other distributions.
Step 1 — Getting started with Apache logging
Apache logs are files that record everything the Apache web server is doing for later analysis by the server administrator. The records of all Apache events are placed in two different text files:
- Access Log: this file stores information about incoming requests. You’ll find details about each request such as the requested resource, response codes, time taken to generate the response, IP address of the client, and more.
- Error Log: this file contains diagnostic information about any errors were encountered while processing requests.
Step 2 — Locating the Apache log files
The log files’ location depends on the operating system the Apache web server is running. On Debian-based operating systems like Ubuntu, the access log file is located in /var/log/apache2/access.log . On CentOS, RHEL, or Fedora, the access log file is stored in /var/log/httpd/access_log .
A typical access log entry might look like this:
::1 - - [13/Nov/2020:11:32:22 +0100] "GET / HTTP/1.1" 200 327 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36" Similarly, the error log file is located in /var/log/apache2/error.log on Debian-based systems and /var/log/httpd/error_log on CentOS, RHEL, or Fedora. A typical error log entry might look like this:
[Thu May 06 12:03:28.470305 2021] [php7:error] [pid 731] [client ::1:51092] script '/var/www/html/missing.php' not found or unable to stat In the next section, we’ll discuss how to view these log files from the command line.
Step 3 — Viewing Apache Log files
One of the most common ways to view an Apache log file is through the tail command which prints the last 10 lines from a file. When the -f option is supplied, the command will watch the file and output its contents in real-time.
sudo tail -f /var/log/apache2/access.log You should observe the following output on the screen:
. . . 198.54.132.137 - - [04/Feb/2022:11:34:04 +0000] "GET / HTTP/1.1" 200 3477 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.99 Safari/537.36" 198.54.132.137 - - [04/Feb/2022:11:34:04 +0000] "GET / HTTP/1.1" 200 3477 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.99 Safari/537.36" 198.54.132.137 - - [04/Feb/2022:11:34:04 +0000] "GET / HTTP/1.1" 200 3477 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.99 Safari/537.36" 198.54.132.137 - - [04/Feb/2022:11:34:05 +0000] "GET / HTTP/1.1" 200 3476 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.99 Safari/537.36" 198.54.132.137 - - [04/Feb/2022:11:34:06 +0000] "GET / HTTP/1.1" 200 3476 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.99 Safari/537.36" 198.54.132.137 - - [04/Feb/2022:11:34:06 +0000] "GET / HTTP/1.1" 200 3476 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.99 Safari/537.36" 198.54.132.137 - - [04/Feb/2022:11:34:07 +0000] "GET / HTTP/1.1" 200 3476 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.99 Safari/537.36" 198.54.132.137 - - [04/Feb/2022:11:34:07 +0000] "GET / HTTP/1.1" 200 3476 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.99 Safari/537.36" To view the entire contents of the file, you can use the cat command or open the file in a text editor like nano or vim :
cat /var/log/apache2/access.log You may also want to filter the log entries in the log file by a specific term. In such cases, you should use the grep command. The first argument to grep is the term you want to search for, while the second is the log file that will be searched. In example below, we are filtering all the lines that contain the word GET :
sudo grep GET /var/log/apache2/access.log This should present the following output:
. . . 198.54.132.137 - - [04/Feb/2022:11:34:04 +0000] "GET / HTTP/1.1" 200 3477 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.99 Safari/537.36" 198.54.132.137 - - [04/Feb/2022:11:34:04 +0000] "GET / HTTP/1.1" 200 3477 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.99 Safari/537.36" 198.54.132.137 - - [04/Feb/2022:11:34:05 +0000] "GET / HTTP/1.1" 200 3476 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.99 Safari/537.36" 198.54.132.137 - - [04/Feb/2022:11:34:06 +0000] "GET / HTTP/1.1" 200 3476 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.99 Safari/537.36" 198.54.132.137 - - [04/Feb/2022:11:34:06 +0000] "GET / HTTP/1.1" 200 3476 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.99 Safari/537.36" 198.54.132.137 - - [04/Feb/2022:11:34:07 +0000] "GET / HTTP/1.1" 200 3476 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.99 Safari/537.36" 198.54.132.137 - - [04/Feb/2022:11:34:07 +0000] "GET / HTTP/1.1" 200 3476 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.99 Safari/537.36" Step 4 — Examining Apache access log formats
The access log records all requests that are processed by the server. You can see what resources are being requested, the status of each request, and how long it took to process their response. In this section, we’ll dive deeper into how to customize the information that is displayed in this file.
Before you can derive value from reading a log file, you need to understand the format that is being used for each of its entries. The CustomLog directive is what controls the location and format of the Apache access log file. This directive can be placed in the server configuration file ( /etc/apache2/apache2.conf ) or in your virtual host entry. Note that defining the same CustomLog directive in both files may cause problems.
Let’s look at the common formats used in Apache access logs and what they mean.
Common Log Format
The Common Log Format is the standardized access log format format used by many web servers because it is easy to read and understand. It is defined in the /etc/apache2/apache2.conf configuration file through the LogFormat directive.
When you run the command below: