Apache Httpd (Ver 2.4)
Background
Apache HTTPD Log Analysis App is an Http server for Windows and Unix machines that automatically Collect - Read - Parse - Analyzes - Reports all machine generated log data of the server and presents a comprehensive automatic predefined set of Reports, Dashboards and Widgets. Once you Setup and configure the Apache HTTPD App, you will be redirected to the dashboards where yuo will have graphs about: errors occured, geographic data of users and requests, Browsers related analytics, Pages and hits analysis, resources and many statistics about your servers' performance. You later use XpoLog built in Analytics features to zero in on errors and take actions to improve your system's uptime. Apache HTTP server logs data can be viewed, filtered and searched via the main XpoLog console.
Steps
- Add Log Data In XpoLog, When adding a log to XpoLog you can now select the Log Type (logtype) for Apache Httpd the are the following logtypes:
- httpd
- w3c
- webserver
i. in addition select not only httpd but also the log type - access or error
- Once all required information is set click next and edit the log pattern, this step is crucial to the accuracy and deployment of the Apache Httpd App. Use the following conversion table to build the XpoLog pattern out of the access log format.
Example
In the Apache Httpd configuration file, usually httpd.conf by default, located under the conf/ directory (Linux "/etc/httpd/conf") search for the LogFormat directive:
LogFormat "%h %l %u %t \"%r\" %>s %b" common
In XpoLog such pattern will be translated into:
{text:RemoteHost,ftype=remoteip} {text:logname,ftype=remotelog} {text:Remote User,ftype=remoteuser} [{date:Date,locale=en;,dd/MMM/yyyy:HH:mm:ss z}] "{choice:Method,ftype=reqmethod;,GET;POST;HEAD} {url:URL,paramsFtype=querystring;ftype=requrl;paramsName=Query;,} {string:reqprotocol,ftype=reqprotocol;,}" {number:ResponseStatus,ftype=respstatus} {number:Bytes Sent,ftype=bytesent}{eoe}
for more information see below:
Apache Https Access Log Format Conversion Table
logtypes should be set to: httpd,w3c,webserver,access
Format String | Description | XpoLog Pattern | XpoLog ftype | ||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Remote IP-address | {geoip:Remote IP,ftype=remoteip} | remoteip | ||||||||||||
%{c}a | Underlying peer IP address and port of the connection | {geoip:Remote IP,ftype=remoteip} | remoteip | ||||||||||||
| Local IP-address | {geoip:LocalIP,ftype=localip} | localip | ||||||||||||
| Size of response in bytes, excluding HTTP headers. | {number:Bytes Sent,ftype=bytesent} | bytesent | ||||||||||||
| Size of response in bytes, excluding HTTP headers. In CLF format, i.e. a ' | {number:Bytes Sent,ftype=bytesent} | bytesent | ||||||||||||
| The contents of cookie Foobar in the request sent to the server. Only version 0 cookies are fully supported. | {string:Cookie_< FOOBAR >} Replace < FOOBAR > with cookie name | |||||||||||||
| The time taken to serve the request, in microseconds. | {number:ResponseTimeMicroSecs,ftype=processrequestmicrosecs} | processrequestmilli | ||||||||||||
| The contents of the environment variable FOOBAR | {string:EnvVariable_< FOOBAR >} Replace < FOOBAR > with variable name | |||||||||||||
| Filename | {text:FileName} | |||||||||||||
| Remote host | {text:Remotehost,ftype=remoteip} | remoteip | ||||||||||||
| The request protocol | {text:RequestProtocol,ftype=reqprotocol} | reqprotocol | ||||||||||||
| The contents of Foobar affect this. If you're interested in what the request header was prior to when most modules would have modified it, use mod_setenvif to copy the header into an internal environment variable and log that value with the | {text:<FOOBAR>} https://en.wikipedia.org/wiki/List_of_HTTP_header_fields and so on it goes for the different headers. | |||||||||||||
| The referer which is associated with the request | {text:RefererQuery,ftype=refererquery;,}{regexp:Referer,ftype=referer;refName=RefererQuery,^([\w-]+://[^?]+|/[^?]+)} | referer | ||||||||||||
| The User Agent which is associated with the request | {text:User-agent,ftype=useragent} | useragent | ||||||||||||
%{ X-Forwarded-For}i | Method for identifying the originating IP address of a client connecting to a web server through an HTTP proxy or load balancer. | {text:X-Forwarded-For,ftype=forwardforip} | forwardforip | ||||||||||||
| Number of keepalive requests handled on this connection. Interesting if KeepAlive is being used, so that, for example, a '1' means the first keepalive request after the initial one, '2' the second, etc...; otherwise this is always 0 (indicating the initial request). Available in versions 2.2.11 and later. | {number:KeepAlive} | |||||||||||||
| Remote logname (from identd, if supplied). This will return a dash unless mod_ident is present and IdentityCheck is set | {text:logname,ftype=remotelog} | remotelog | ||||||||||||
| The request method | {choice:Method,ftype=reqmethod;,GET;POST;HEAD} | reqmethod | ||||||||||||
| The contents of note Foobar from another module. | {string:<FOOBAR>} | |||||||||||||
| The contents of Foobar | {string:<FOOBAR>} | |||||||||||||
| The canonical port of the server serving the request | {number:ServerPort,ftype=serverport} | serverport | ||||||||||||
| The canonical port of the server serving the request or the server's actual port or the client's actual port. Valid formats are
| {number:ServerPort,ftype=serverport} {number:LocalServerPort,ftype=localserverport} {number:RemotePort,ftype=remoteport} | serverport localserverportt remoteport | ||||||||||||
| The process ID of the child that serviced the request. | {text:ProcessID,ftype=processid} | processid | ||||||||||||
| The process ID or thread id of the child that serviced the request. Valid formats are | {text:ProcessID,ftype=processid} Valid formats are | processid | ||||||||||||
%{pid}P | {text:ProcessID,ftype=processid} | processid | |||||||||||||
%{tid}P | {text:ThreadID,ftype=threadid} | threadid | |||||||||||||
%{hextid}P | {text:HexThreadID,ftype=hexthreadid} | hexthreadid | |||||||||||||
| First line of request |
| reqmethod requrl querystring reqprotocol | ||||||||||||
| The handler generating the response (if any). | {text:ResponseHandler} | |||||||||||||
| Status. For requests that got internally redirected, this is the status of the *original* request --- | {number:ResponseStatus,ftype=respstatus} . For requests that got internally redirected, this is the status of the *original* request --- %>s for the last. | respstatus | ||||||||||||
| Time the request was received (standard english format) | {date:Date,locale=en,dd/MMM/yyyy:HH:mm:ss z} | |||||||||||||
%{ format}t | The time, in the form given by format, which should be in an extended the time is taken at the beginning of the request processing. If it starts with processing. In addition to the formats supported by
These tokens can not be combined with each other or The extended | {date:Date,locale=en,dd/MMM/yyyy:HH:mm:ss z} sec number of seconds since the Epoch | |||||||||||||
| The time taken to serve the request, in seconds. | {number:ResponseTimeSecs,ftype=processrequestsecs} | processrequestsecs | ||||||||||||
| The time taken to serve the request, in a time unit given by same result as |
| processrequestmilli processrequestmicrosecs processrequestsecs | ||||||||||||
| Remote user (from auth; may be bogus if return status ( | {string:Remote User,ftype=remoteuser;,} Remote user (from auth; may be bogus if return status ( | remoteuser | ||||||||||||
| The URL path requested, not including any query string. | {text:RequestURL,ftype=requrl} | requrl | ||||||||||||
| The canonical ServerName of the server serving the request. | {text:ServerName,ftype=servername} | servername | ||||||||||||
| The server name according to the UseCanonicalName setting. | {text:ServerName,ftype=servername} The server name according to the UseCanonicalName setting. | servername | ||||||||||||
| Connection status when response is completed:
(This directive was | {text:ConnectionStatus} Connection status when response is completed:
(This directive was | |||||||||||||
| Bytes received, including request and headers, cannot be zero. You need to enable mod_logio to use this. | {number:TotalBytesWHeadersReceived,ftype=reqbyteswheaders} (with headers) | reqbyteswheaders | ||||||||||||
| Bytes sent, including headers, cannot be zero. You need to enable mod_logio to use this. | {number:TotalBytesWHeadersSent,ftype=respbyteswheaders} (with headers – can help compute header size) | respbyteswheaders | ||||||||||||
| The contents of VARNAME | {text:Req_<VARNAME>} The content of VARNAME: trailer line(s) in the request sent to the server. | |||||||||||||
| The contents of VARNAME | {text:Resp_<VARNAME>} The contents of VARNAME | |||||||||||||
| The contents of FOOBAR | {text:Req_<FOOBAR>} The content of FOOBAR: trailer line(s) in the request sent to the server. | |||||||||||||
| The contents of FOOBAR | {text:Resp_<FOOBAR>} The contents of FOOBAR |
Error Log
In the Apache Httpd configuration file, usually httpd.conf by default, located under the conf/ directory (Linux "/etc/httpd/conf") search for the LogFormat directive:
ErrorLogFormat "[%{u}t] [%m:%l] [pid %P:tid %T] %F: %E: %M"
In XpoLog such pattern will be translated into:
[{date:Date,locale=en,EEE MMM dd HH:mm:ss.SSSSSS yyyy}] [{text:Module}:{priority:Level,ftype=status;,}] [pid {text:ProcessID,ftype=processid;,}:tid {text:ThreadId,ftype=threadid;,}]{text:ErrorCode,ftype=errorcode;,}:{block,start,emptiness=true} {text:SourceFileName}:{block,end,emptiness=true} {string:Message,ftype=Message;,}
for more information see below:
Apache Https Error Log Format Conversion Table
logtypes should be set to: httpd,w3c,webserver,error
Format String | Description | XpoLog Pattern | XpoLog ftype |
%a | Client IP address | {geoip:Remote IP,ftype=remoteip} | remoteip |
%{c}a | Underlying peer IP address and port of the connection (see the mod_remoteip module) | {geoip:Remote IP,ftype=remoteip}{block,start,emptiness=true}:{number:Port,ftype=remoteport}{block,end,emptiness=true} | remoteip remoteport |
| Local IP-address | {ip:LocalIP,ftype=localip} | localip |
%{name}e | Request environment variable name | {string:EnvVariable_name} | |
%E | APR/OS error status code and string | {number:Error Status Code,ftype=errcode} | errcode |
%F | Source file name and line number of the log call | {text:FileName} | |
%{Referer}i | Referer of the call | {text:RefererQuery,ftype=refererquery}{regexp:Referer,ftype=referer;refName=RefererQuery,^([\\w-]+://[^?]+|/[^?]+)} | referer |
%{User-Agent}i | User-Agent of the call. | {text:User-agent,ftype=useragent} | useragent |
%k | Number of keep-alive requests on this connection | {number:KeepAlive} | |
%l | The level of the message | {priority:Level,emerg;alert;crit;error;warn;notice;info;debug;trace1;trace2;trace3;trace4;trace5;trace6;trace7;trace8;ftype=level} | level |
%L | Log ID of the request | {text:LogId,ftype=logid} | logid |
%{c}L | Log ID of the connection | {text:LogId,ftype=logid} | logid |
%{C}L | Log ID of the connection if used in connection scope, empty otherwise | {text:LogId,ftype=logid} | logid |
%m | Name of the module logging the message | {text:Module,ftype=module} | module |
%M | The actual error message | {string:Message,ftype=Message} | Message |
%{name}n | Request note name | {Text:NOTE name} | |
%P | Process ID of current process | {text:ProcessID,ftype=processid} | processid |
%T | Thread ID of current thread | {number:ThreadID,ftype=thread} | thread |
%{g}T | System unique thread ID of current thread (the same ID as displayed by e.g. top ; currently Linux only) | {number:System Thread ID,ftype=systemthread} | systemthread |
%t | Date | {date:Date,locale=en,EEE MMM dd HH:mm:ss yyyy} | |
%{u}t | The current time including micro-seconds | {date:Date,locale=en,EEE MMM dd HH:mm:ss.SSSSSS yyyy} | |
%{cu}t | The current time in compact ISO 8601 format, including micro-seconds | {date:Date,locale=en,EEE MMM dd HH:mm:ss.SSSSSS yyyy} | |
%v | The canonical ServerName of the current server. | {text:ServerName,ftype=servername} | servername |
%V | The server name of the server serving the request according to the UseCanonicalName setting. | {text:ServerName,ftype=servername} The server name according to the UseCanonicalName setting. | servername |