在APACHE中有定義一些記錄的語法模版
在 /etc/httpd/conf/httpd.conf 中:
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined LogFormat "%h %l %u %t \"%r\" %>s %b" common LogFormat "%{Referer}i -> %U" referer LogFormat "%{User-agent}i" agent
然後我們可以定義要寫入的記錄檔格式,預設是combined,例如預設的存取記錄為:
CustomLog logs/access_log combined
當然你可以把上面的"combined'" 改為你自訂的格式
我們也可以指定自己的網站記錄的格式,例如一個vh:
<VirtualHost *:80> ServerName n.sfs.tw ... CustomLog logs/z-access_log combined </VirtualHost>
由於在 /etc/httpd 目錄中預設有一個logs的連結 (centos6)
下面的第5行,所以記錄檔路徑可指定 logs/your_log_name 就丟到 /var/log/httpd/之中,原理是這樣的
# ls -l /etc/httpd/ 總計 8 drwxr-xr-x. 2 root root 4096 2016-11-04 01:22 conf drwxr-xr-x. 2 root root 4096 2016-11-04 01:21 conf.d lrwxrwxrwx. 1 root root 19 2016-09-25 22:57 logs -> ../../var/log/httpd lrwxrwxrwx. 1 root root 29 2016-09-25 22:57 modules -> ../../usr/lib64/httpd/modules lrwxrwxrwx. 1 root root 19 2016-09-25 22:57 run -> ../../var/run/httpd
COMBINED 格式
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
他存起來的記錄長得像這樣:
59.126.205.242 - - [04/Jan/2009:23:30:57 +0800] "GET /main/images/login/login_05.png HTTP/1.1" 200 1355 "http://exmaple.com/i1.php?fun=login_show" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-TW; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5 FirePHP/0.2.1"
說明如下:
1. 59.126.205.242 是客戶端IP
2. 第一個 '-' 是 %l 因為此網頁不必認證,所以logname 為空
3. 第二個 '-' 是 %u 因為此網頁不必認證,所以username 為空
4. [04/Jan/2009:23:30:57 +0800] 是時間
5. "GET /main/images/login/login_05.png HTTP/1.1" 為客戶端的 request
6. 200 %s 是狀態,%s 是取得最後的狀態,數字200代表 OK
7. 1355 排除掉 HTTP的headers後的長度(Bytes)
8. "http://example.com/main/i1.php?fun=login_show" 記錄 referer。也就是導到此request的頁面的呼叫者,這裡可以當來源分析。
9. "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-TW; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5 FirePHP/0.2.1" 是客戶端的瀏覽器狀態。
可使用的參數說明
%...a: Remote IP-address %...A: Local IP-address %...B: Bytes sent, excluding HTTP headers. %...b: Bytes sent, excluding HTTP headers. In CLF format i.e. a '-' rather than a 0 when no bytes are sent. %...c: Connection status when response was completed. 'X' = connection aborted before the response completed. '+' = connection may be kept alive after the response is sent. '-' = connection will be closed after the response is sent. %...{FOOBAR}e: The contents of the environment variable FOOBAR %...f: Filename %...h: Remote host %...H The request protocol %...{Foobar}i: The contents of Foobar: header line(s) in the request sent to the server. %...l: Remote logname (from identd, if supplied) %...m The request method %...{Foobar}n: The contents of note "Foobar" from another module. %...{Foobar}o: The contents of Foobar: header line(s) in the reply. %...p: The canonical Port of the server serving the request %...P: The process ID of the child that serviced the request. %...q The query string (prepended with a ? if a query string exists, otherwise an empty string) %...r: First line of request %...s: Status. For requests that got internally redirected, this is the status of the *original* request --- %...>s for the last. %...t: Time, in common log format time format (standard english format) %...{format}t: The time, in the form given by format, which should be in strftime(3) format. (potentially localized) %...T: The time taken to serve the request, in seconds. %...u: Remote user (from auth; may be bogus if return status (%s) is 401) %...U: The URL path requested, not including any query string. %...v: The canonical ServerName of the server serving the request. %...V: The server name according to the UseCanonicalName setting.
參考資料
[1] http://httpd.apache.org/docs/1.3/mod/mod_log_config.html