Log Files

Web server logs all traffic to a log file. There are various formats and this page will help you understand the log formats that are used. The most popular logging formats are the NCSA (Common or Combined) used mostly by Apache and the W3C standard used by IIS. These formats will be explain in more detail below.

APACHE LOG FILES

One of the many pieces of the Website puzzle is Web logs. Traffic analysis is central to most Websites, and the key to getting the most out of your traffic analysis revolves around how you configure your Web logs. Apache is one of the most, if not the most powerful open source solutions for Website operations. You will find that Apache’s Web logging features are flexible for the single Website or for managing numerous domains requiring Web log analysis. For the single site, Apache is pretty much configured for logging in the default install. The initial httpd.conf file (found in /etc/httpd/conf/httpd.conf in most cases) should have a section on logs that looks similar to this (Apache 2.0.x), with descriptive comments for each item. Your default logs folder will be found in /etc/httpd/logs . This location can be changed when dealing with multiple Websites, as we’ll see later. For now, let’s review this section of log configuration.

ErrorLog logs/error_log 

LogLevel warn 

LogFormat "%h %l %u %t "%r" %>s %b "%{Referer}i" "%{User-Agent}i"" combined 
LogFormat "%h %l %u %t "%r" %>s %b" common 
LogFormat "%{Referer}i -> %U" referer 
LogFormat "%{User-agent}i" agent 

CustomLog logs/access_log combined

Error Logs

The error log contains messages sent from Apache for errors encountered during the course of operation. This log is very useful for troubleshooting Apache issues on the server side. Apache Log Tip: If you are monitoring errors or testing your server, you can use the command line to interactively watch log entries. Open a shell session and type “tail ?f /path/to/error_log” . This will show you the last few entries in the file and also continue to show new entries as they occur. There are no real customization options available, other than telling Apache where to establish the file, and what level of error logging you seek to capture. First, let’s look at the error log configuration code from httpd.conf.

ErrorLog logs/error_log

You may wish to store all error-related information in one error log. If so, the above is fine, even for multiple domains. However, you can specify an error log file for each individual domain you have. This is done in the container with an entry like this:

<VirtualHost 10.0.0.2> 
DocumentRoot "/home/sites/domain1/html/" 
ServerName domain1.com 
ErrorLog /home/sites/domain1/logs/error.log 
</VirtualHost>

If you are responsible for reviewing error log files as a server administrator, it is recommended that you maintain a single error log. If you’re hosting for clients, and they are responsible for monitoring the error logs, it’s more convenient to specify individual error logs they can access at their own convenience.

Apache’s definitions for their error log levels are as follows:

Level Description
Emerg Emergencies – system is unusable
Alert Action must be taken immediately
Crit Critical Conditions
Error Error conditions
Warn Warning Conditions
Notice Normal but significant condition
Info Information
Debug Debug-level messages

Tracking Website Activity – Access Logs

Often by default, Apache will generate a log file called access. This tracks the accesses to your Website, the browsers being used to access the site and referring urls that your site visitors have arrived from. It is commonplace now to utilize Apache’s “combined” log format, which compiles all three of these logs into one logfile. This is very convenient when using traffic analysis software as a majority of these third-party programs are easiest to configure and schedule when only dealing with one log file per domain. Let’s break down the code in the combined log format and see what it all means.

LogFormat "%h %l %u %t "%r" %>s %b "%{Referer}i" "%{User-Agent}i"" combined

LogFormat starts the line and simply tells Apache you are defining a log file type (or nickname), in this case, combined. Now let’s look at the cryptic symbols that make up this log file definition.

Symbol Description
%h IP Address of client (remote host)
%l Identd of client (normally unavailable)
%u User id of user requesting object
%t Time of request
%r Full request string
%>s Status code
%b Size of request (excluding headers)
%{Referer}i The previous webpage
%{User-agent}i The Client’s browser

To review all of the available configuration codes for generating a custom log, see Apache’s docs on the module_log_config , which powers log files in Apache.
Apache Log Tip: You could capture more from the HTTP header if you so desired. A full listing and definition of data in the header is found at the World Wide Web Consortium. http Logs Viewer supports a number of log formats and directives and these can be found here.
For a single Website, the default entry would suffice:

CustomLog logs/access_log combined

However, for logging multiple sites, you have a few options. The most common is to identify individual log files for each domain. This is seen in the example below, again using the log directive within the container for each domain.

<VirtualHost 10.0.0.2> 
DocumentRoot "/home/sites/domain1/html/" 
ServerName domain1.com 
ErrorLog /home/sites/domain1/logs/error.log 
CustomLog /home/sites/domain1/logs/web.log 
</VirtualHost 

<VirtualHost 10.0.0.3>
DocumentRoot "/home/sites/domain2/html/" 
ServerName domain2.com 
ErrorLog /home/sites/domain2/logs/error.log 
CustomLog /home/sites/domain2/logs/web.log 
</VirtualHost> 

<VirtualHost 10.0.0.4> 
DocumentRoot "/home/sites/domain3/html/" 
ServerName domain3.com 
ErrorLog /home/sites/domain3/logs/error.log 
CustomLog /home/sites/domain3/logs/web.log 
</VirtualHost> 

In the above example, we have three domains with three unique Web logs (using the combined format we defined earlier). A traffic analysis package could then be scheduled to process these logs and generate reports for each domain independently.

IIS LOG FILES

IIS uses different formats to create log files. The most common two are NCSA and W3C standard.

NCSA

This format is identical to the Apache Common log format. You can treat such a log file similar to how you would treat an apache log file.

W3C

The field definitions of the W3C logging format are shown below. Some Fields start with a prefix which explain which host (client/server/proxy) the field refers to.

Prefix Description
c Client
s Server
r Remote
cs Client to Server.
sc Server to Client.
sr Server to Remote Server (used by proxies)
rs Remote Server to Server (used by proxies)
Field Defenition Description
date Date at which transaction completed
time Time at which transaction completed
time-taken Time taken for transaction to complete in seconds
bytes bytes transferred
cached Records whether a cache hit occurred
ip IP address and port
dns DNS name
status Status code
comment Comment returned with status code
method Method
uri URI
uri-stem Stem portion alone of URI (omitting query)
uri-query Query portion alone of URI

A sample W3C log file is shown below:

#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status time-taken
2009-12-30 13:45:03 192.168.88.2 GET /default.aspx - 80 - 192.168.1.5 Mozilla/5.0+(Windows;+U;+Windows+NT+6.1;+en-US;+rv:1.9.1.6)+Gecko/20091201+Firefox/3.5.6+GTB6 200 0 0 3057