|
|
|
|
 |
|
Web logs
|
|
Combined / Common Log Format (CLF) explained (briefly)
|
I started looking at my Web logs..... (some of which I downloaded in text format for safe
keeping) waiting for all these people to come flocking to my site and..... nothing happened.....
I kept looking anyway and did not understand the codes I kept seeing there so I found
this old w3.org rfc2616 tome. I
tried to summarise this, the results follow.
The output is known as the "Combined Log Format" and is
much the same as the "Common Log Format" (CLF)
but contains a couple of extra fields (the last two).
Normal browser request
The following string is one line from my Web log file.
This line theoretically results when I click on a link to the page called "xyz.php"
from the home page.
What do the bits of the following string mean?
123.456.789.987 - - [29/Oct/2003:21:45:12 +1100]
"GET /xyz.php"
200 21162 "http://www.bpresent.net.au"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
(The wrapping of line above reminds me... if you are using Notepad or the like to
view your log files, you may prefer to switch off the Word Wrap.)
|
%h Host |
123.456.789.987 - - [29/Oct/2003:21:45:12 +1100]
"GET /xyz.php"
200 21162 "http://www.bpresent.net.au"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" |
IP Address of the client (the machine) that made the request. |
|
|
|
|
|
|
%1 RFC 1413 identity |
123.456.789.987 - - [29/Oct/2003:21:45:12 +1100]
"GET /xyz.php"
200 21162 "http://www.bpresent.net.au"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" |
For the purposes of this discussion not applicable. |
%u User |
123.456.789.987 - - [29/Oct/2003:21:45:12 +1100]
"GET /xyz.php"
200 21162 "http://www.bpresent.net.au"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" |
The REMOTE_USER who made the request (if the document is password protected). |
%t Time |
123.456.789.987 - - [29/Oct/2003:21:45:12 +1100]
"GET /xyz.php"
200 21162 "http://www.bpresent.net.au"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" |
The time that the server finished processing this particular part of the request. |
%r Request |
123.456.789.987 - - [29/Oct/2003:21:45:12 +1100]
"GET /xyz.php"
200 21162 "http://www.bpresent.net.au"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" |
What is being asked for and how. Which is further broken down into: |
%m Method |
" GET /xyz.php" |
The method used to request the resource. |
%U Path |
"GET /xyz.php " |
The resource (the thing being requested by the client).
Note that you may also see a protocol here in your logs. |
|
%>s Status |
123.456.789.987 - - [29/Oct/2003:21:45:12 +1100]
"GET /xyz.php"
200 21162 "http://www.bpresent.net.au"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" |
Status code as found in either these
brief descriptions or
the full RFC 2616 Section 10 documentation. |
%b Size |
123.456.789.987 - - [29/Oct/2003:21:45:12 +1100]
"GET /xyz.php"
200 21162 "http://www.bpresent.net.au"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" |
The size of the object returned to the client. |
%{referer} |
123.456.789.987 - - [29/Oct/2003:21:45:12 +1100]
"GET /xyz.php"
200 21162 "http://www.bpresent.net.au"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" |
Hmmmm, depends. Experience will tell you what's in this and when. This often tells you how visitor got here. If someone has a link to this page from their site, this will show you where the link is. |
%{user-agent} |
123.456.789.987 - - [29/Oct/2003:21:45:12 +1100]
"GET /xyz.php"
200 21162 "http://www.bpresent.net.au"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" |
What the client tells the server it is - and sometimes they don't tell the truth! |
| |
For a more detailed explanation (much more detailed!) refer to Apache HTTP Server, Log Files. |
| |
|
[Content of this page last reviewed: 21-Jul-2005] |
|
|
|
|