APACHE的記錄檔格式 LogFormat 語法

URL Link //n.sfs.tw/10147

2016-11-04 01:24:46 By 張○○

在APACHE中有定義一些記錄的語法模版

在 /etc/httpd/conf/httpd.conf 中:

LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent

然後我們可以定義要寫入的記錄檔格式,預設是combined,例如預設的存取記錄為:

CustomLog logs/access_log combined

當然你可以把上面的"combined'" 改為你自訂的格式

我們也可以指定自己的網站記錄的格式,例如一個vh:

<VirtualHost *:80>
    ServerName n.sfs.tw
    ...
    CustomLog logs/z-access_log combined
</VirtualHost>

由於在 /etc/httpd 目錄中預設有一個logs的連結 (centos6)

下面的第5行,所以記錄檔路徑可指定 logs/your_log_name 就丟到 /var/log/httpd/之中,原理是這樣的

# ls -l /etc/httpd/
總計 8
drwxr-xr-x. 2 root root 4096 2016-11-04 01:22 conf
drwxr-xr-x. 2 root root 4096 2016-11-04 01:21 conf.d
lrwxrwxrwx. 1 root root   19 2016-09-25 22:57 logs -> ../../var/log/httpd
lrwxrwxrwx. 1 root root   29 2016-09-25 22:57 modules -> ../../usr/lib64/httpd/modules
lrwxrwxrwx. 1 root root   19 2016-09-25 22:57 run -> ../../var/run/httpd

COMBINED 格式

LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined

他存起來的記錄長得像這樣:

59.126.205.242 - - [04/Jan/2009:23:30:57 +0800] "GET /main/images/login/login_05.png HTTP/1.1" 200 1355 "http://exmaple.com/i1.php?fun=login_show" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-TW; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5 FirePHP/0.2.1"

說明如下:
1. 59.126.205.242 是客戶端IP
2. 第一個 '-' 是 %l 因為此網頁不必認證,所以logname 為空
3. 第二個 '-' 是 %u 因為此網頁不必認證,所以username 為空
4. [04/Jan/2009:23:30:57 +0800] 是時間
5. "GET /main/images/login/login_05.png HTTP/1.1" 為客戶端的 request
6. 200  %s 是狀態,%s 是取得最後的狀態,數字200代表 OK
7. 1355 排除掉 HTTP的headers後的長度(Bytes)
8. "http://example.com/main/i1.php?fun=login_show" 記錄 referer。也就是導到此request的頁面的呼叫者,這裡可以當來源分析。
9. "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-TW; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5 FirePHP/0.2.1" 是客戶端的瀏覽器狀態。

可使用的參數說明

%...a:          Remote IP-address
%...A:          Local IP-address
%...B:          Bytes sent, excluding HTTP headers.
%...b:          Bytes sent, excluding HTTP headers. In CLF format
        i.e. a '-' rather than a 0 when no bytes are sent.
%...c:          Connection status when response was completed.
                'X' = connection aborted before the response completed.
                '+' = connection may be kept alive after the response is sent.
                '-' = connection will be closed after the response is sent.
%...{FOOBAR}e:  The contents of the environment variable FOOBAR
%...f:          Filename
%...h:          Remote host
%...H       The request protocol
%...{Foobar}i:  The contents of Foobar: header line(s) in the request
                sent to the server.
%...l:          Remote logname (from identd, if supplied)
%...m       The request method
%...{Foobar}n:  The contents of note "Foobar" from another module.
%...{Foobar}o:  The contents of Foobar: header line(s) in the reply.
%...p:          The canonical Port of the server serving the request
%...P:          The process ID of the child that serviced the request.
%...q       The query string (prepended with a ? if a query string exists,
        otherwise an empty string)
%...r:          First line of request
%...s:          Status.  For requests that got internally redirected, this is
                the status of the *original* request --- %...>s for the last.
%...t:          Time, in common log format time format (standard english format)
%...{format}t:  The time, in the form given by format, which should
                be in strftime(3) format. (potentially localized)
%...T:          The time taken to serve the request, in seconds.
%...u:          Remote user (from auth; may be bogus if return status (%s) is 401)
%...U:          The URL path requested, not including any query string.
%...v:          The canonical ServerName of the server serving the request.
%...V:          The server name according to the UseCanonicalName setting.

參考資料

[1] http://httpd.apache.org/docs/1.3/mod/mod_log_config.html