Home
Forums
New posts
Search forums
What's new
New posts
New profile posts
Latest activity
Members
Current visitors
New profile posts
Search profile posts
Log in
Register
What's new
Search
Search
Search titles only
By:
New posts
Search forums
Menu
Log in
Register
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Reply to thread
Home
Forums
CARDING & HACKING
HOSTING & BOTNET
Apache logs 2023
Message
<blockquote data-quote="Cupper" data-source="post: 571" data-attributes="member: 22"><p>That is, from a practical point of view, the <strong>Access Log</strong> is the same as <strong>mod_log_config</strong>, since it is this module that provides the Access Log functionality. Additionally Access Log uses <strong>mod_logio</strong> and <strong>mod_setenvif modules</strong> to extend functionality. For example, the mod_logio module allows you to log the exact size of transmitted and / or received data during user request and response.</p><p></p><p>Since they are one and the same, the directives for Access Log and mod_log_config are the same. Further information in this section pertains to the Access Log and mod_log_config.</p><p></p><p><img src="https://sun9-78.userapi.com/impf/c856024/v856024446/c7f0b/uS5K8Wvl0bw.jpg?size=807x569&quality=96&sign=f7fdde7ac48af6a6332054ace44559cf&type=album" alt="uS5K8Wvl0bw.jpg" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p></p><p><strong>How to customize the format of Apache access logs. Custom log formats</strong></p><p>The format argument for the <strong>LogFormat</strong> and <strong>CustomLog directives</strong> is a string. Based on this line, a log file will be generated for each request. This line can contain literal characters to be copied to the log files as they are, and C-style control characters "\ n" and "\ t" to write new-line and tab characters. Literal quotes and backslashes must be escaped with a backslash ( <strong>\</strong> ).</p><p></p><p>The various characteristics of a query are denoted by lines that begin with a "<strong>%</strong>" character. In the log file, these lines will be replaced with the following values:</p><p></p><p><strong>%%</strong> - A literal percent sign.</p><p></p><p><strong>% a</strong> - Client IP address of the request (see also mod_remoteip module).</p><p></p><p><strong>% {c} a</strong> - The underlying IP address of the connection (see mod_remoteip).</p><p></p><p><strong>% A</strong> - Local IP address.</p><p></p><p><strong>% B</strong> - The size of the response in bytes, excluding HTTP headers.</p><p></p><p><strong>% b</strong> - The size of the response in bytes, excluding HTTP headers. In CLF format, that is, when bats are not sent, it will be '-', not 0.</p><p></p><p><strong>% {VARNAME} C</strong> - Content of the VARNAME cookie in the request sent to the server. Only version 0 cookies are fully supported.</p><p></p><p><strong>% D</strong> - Time taken to process the request, in microseconds. See <strong>% T for</strong> more details .</p><p></p><p><strong>% {VARNAME} e</strong> - Content of the VARNAME environment variable.</p><p></p><p><strong>% f</strong> - File name.</p><p></p><p><strong>% h</strong> - The name of the remote host. Will record the IP address if HostnameLookups is set to <strong>Off</strong>, this is the default. If you are only registering a hostname for a few hosts, you may have access control directives that refer to them by name. See the Require host documentation. This format is affected by modifications to the remote hostname by modules such as mod_remoteip.</p><p></p><p><strong>% {c} h</strong> - Like <strong>% h</strong>, but always reports the hostname of the underlying TCP connection, not any modifications to the remote hostname by modules such as mod_remoteip.</p><p></p><p><strong>% H</strong> - Request protocol.</p><p></p><p><strong>% {VARNAME} i</strong> - Content VARNAME: header line (s) in the request sent to the server. Changes made by other modules (like mod_headers) affect this. If you are wondering what the request header was before most modules would change it, use mod_setenvif to copy the header into an internal environment variable and log the value of <strong>% {VARNAME} e</strong> above. Examples of such variables: <strong>% {Referer} i</strong> (referrer), <strong>% {User-agent} i</strong> (user agent, browser).</p><p></p><p><strong>% k</strong> - The number of keepalive requests processed for this connection. I wonder if KeepAlive is used, for example, "1" means the first keepalive request after the original, "2" means the second, and so on; otherwise, it is always 0 (indicating the initial request).</p><p></p><p><strong>% l</strong> - The name of the remote log (from identd, if any). This will return a dash if mod_ident is not present and IdentityCheck is not set to <strong>On</strong>.</p><p></p><p><strong>% L</strong> - The ID of the query log from the error log (or "-" if nothing was logged in the error log for this query). Search for the corresponding error log line to see which query caused which error.</p><p></p><p><strong>% {c} L</strong> - Connection log identifier from the error log (or "-" if nothing is written to the error log for this request). Search for the corresponding error log line to see which query caused which error.</p><p></p><p><strong>% m</strong> - Request method.</p><p></p><p><strong>% {VARNAME} n</strong> - Content of the VARNAME from another module.</p><p></p><p><strong>% {VARNAME} o</strong> - Content VARNAME: header lines in the response.</p><p></p><p><strong>% p</strong> - The canonical port of the server serving the request.</p><p></p><p><strong>% {format} p</strong> - The canonical port of the server serving the request, or the actual port of the server, or the actual port of the client. Valid formats are <strong>canonical</strong>, <strong>local,</strong> or <strong>remote</strong> .</p><p></p><p><strong>% P</strong> - The ID of the child process that served the request.</p><p></p><p><strong>% {format} P</strong> - Process ID or child thread ID that serviced the request. Valid formats are <strong>pid</strong>, <strong>tid,</strong> and <strong>hextid</strong>. hextid requires APR 1.2.0 or higher.</p><p></p><p><strong>% q</strong> - Query string (prefixed with <strong>?</strong> if query string exists, otherwise empty string).</p><p></p><p><strong>% r</strong> - First line of the query</p><p></p><p><strong>% R</strong> - The handler that generates the response (if any).</p><p></p><p><strong>% s</strong> - Status. For requests that were internally redirected, this is the status of the original request. Use <strong>%> s</strong> for final status.</p><p></p><p><strong>% t</strong> - Time when the request was received in the format [18 / Sep / 2011: 19: 18: 28 -0400]. The last number indicates the time zone offset from GMT</p><p></p><p><strong>% {format} t</strong> - Time in the form specified by the format, which should be in extended strftime (3) format (possibly localized). If the format starts with begin: (default) time is taken at the beginning of request processing. If it starts with end: this is the logging time, near the end of the request processing. In addition to the formats supported by strftime (3), the following format markers are supported:</p><p><strong>sec</strong> number of seconds since the beginning of the Age</p><p><strong>msec</strong> number of milliseconds since the beginning of the Age</p><p><strong>usec</strong> microseconds since the beginning of the Age</p><p><strong>msec_frac</strong> fractions of milliseconds</p><p><strong>usec_frac</strong> fractions of microseconds</p><p>These tokens on the same format string cannot be combined with each other or with strftime (3) formatting. You can use multiple <strong>% {format} t</strong> tokens instead .</p><p></p><p>Example: <strong>% {% d /% b /% Y% T} t.% {Msec_frac} t% {% z} t</strong></p><p><strong></strong></p><p><strong>% T</strong> - Time taken to service the request, in seconds. The measured time starts when the HTTP server reads the first line of the HTTP request from the host operating system and ends when the last byte of the response is written by the HTTP server to the host operating system.</p><p></p><p>Measured time does not include any of the following:</p><ul> <li data-xf-list-type="ul">Time spent on TCP or TLS handshakes.</li> <li data-xf-list-type="ul">Time before the web server thread can read the first line of the request.</li> <li data-xf-list-type="ul">Delays in the issuance of response data by the operating system to the network.</li> <li data-xf-list-type="ul">The time it takes to receive a response at the client's host.</li> <li data-xf-list-type="ul">The time taken by the user agent to read and process the response.</li> </ul><p><strong>% {UNIT} T</strong> - Time spent serving the request, in units of time specified by UNIT. Valid units are <strong>ms</strong> for milliseconds, <strong>us</strong> for microseconds, and <strong>s</strong> for seconds. Using s gives the same result as <strong>% T</strong> without any format; Use gives us the same result as the <strong>% D</strong>. Combining <strong>% T</strong> with a unit is available in 2.4.13 and later.</p><p></p><p><strong>% u</strong> - Remote user if the request was authenticated. May be bogus if return status (<strong>% s</strong>) is 401 (not authorized).</p><p></p><p><strong>% U</strong> - The requested URL path, not including the query string.</p><p></p><p><strong>% v</strong> - The canonical ServerName of the server serving the request.</p><p></p><p><strong>% V</strong> - Server name according to the UseCanonicalName setting.</p><p></p><p><strong>% X</strong> - The state of the connection when the response is complete:</p><p></p><p>X = The connection was terminated before the answer was completed.</p><p></p><p>+ = The connection can remain active after sending a response.</p><p></p><p>- = The connection will be closed after sending the response.</p><p><strong>% I</strong> - Bytes received, including request and headers. There cannot be zero. You must enable <a href="https://vk.com/away.php?to=http%3A%2F%2Fhttpd.apache.org%2Fdocs%2Ftrunk%2Fmod%2Fmod_logio.html&cc_key=" target="_blank">mod_logio</a> to use this.</p><p></p><p><strong>% O</strong> - Bytes sent, including headers. It can be zero in rare cases, for example, when the request is interrupted before sending a response. You must enable mod_logio to use this.</p><p></p><p><strong>% S</strong> - Transmitted (received and sent) bytes, including request and headers, cannot be zero. It is a combination of% I and% O. You must enable mod_logio to use this.</p><p></p><p><strong>% {VARNAME} ^ ti</strong> - VARNAME content: trailer strings in the request sent to the server.</p><p></p><p><strong>% {VARNAME} ^ to</strong> - Content of VARNAME: trailer strings in the request sent from the server.</p><p></p><p><strong>Modifiers</strong></p><p>Individual items can be restricted to print only for responses with specific HTTP status codes by placing a comma-separated list of status codes immediately after the " <strong>%</strong> ". The status code list may be preceded by " <strong>!</strong> " To indicate negation.</p><p></p><p>The "<strong><</strong> "and" <strong>></strong>" modifiers are used to choose whether to write the original or final query. This can be used for requests that have been redirected internally. By default, the <strong>% s</strong>, <strong>% U</strong>, <strong>% T</strong>, <strong>% D,</strong> and <strong>% r</strong> directives look at the original request and everyone else looks at the final request. So, for example, <strong>%> s</strong> can be used to record the final state of a request, and <strong>% <u</strong> can be used to record the original authenticated user on a request internally redirected to an unauthenticated resource.</p></blockquote><p></p>
[QUOTE="Cupper, post: 571, member: 22"] That is, from a practical point of view, the [B]Access Log[/B] is the same as [B]mod_log_config[/B], since it is this module that provides the Access Log functionality. Additionally Access Log uses [B]mod_logio[/B] and [B]mod_setenvif modules[/B] to extend functionality. For example, the mod_logio module allows you to log the exact size of transmitted and / or received data during user request and response. Since they are one and the same, the directives for Access Log and mod_log_config are the same. Further information in this section pertains to the Access Log and mod_log_config. [IMG alt="uS5K8Wvl0bw.jpg"]https://sun9-78.userapi.com/impf/c856024/v856024446/c7f0b/uS5K8Wvl0bw.jpg?size=807x569&quality=96&sign=f7fdde7ac48af6a6332054ace44559cf&type=album[/IMG] [B]How to customize the format of Apache access logs. Custom log formats[/B] The format argument for the [B]LogFormat[/B] and [B]CustomLog directives[/B] is a string. Based on this line, a log file will be generated for each request. This line can contain literal characters to be copied to the log files as they are, and C-style control characters "\ n" and "\ t" to write new-line and tab characters. Literal quotes and backslashes must be escaped with a backslash ( [B]\[/B] ). The various characteristics of a query are denoted by lines that begin with a "[B]%[/B]" character. In the log file, these lines will be replaced with the following values: [B]%%[/B] - A literal percent sign. [B]% a[/B] - Client IP address of the request (see also mod_remoteip module). [B]% {c} a[/B] - The underlying IP address of the connection (see mod_remoteip). [B]% A[/B] - Local IP address. [B]% B[/B] - The size of the response in bytes, excluding HTTP headers. [B]% b[/B] - The size of the response in bytes, excluding HTTP headers. In CLF format, that is, when bats are not sent, it will be '-', not 0. [B]% {VARNAME} C[/B] - Content of the VARNAME cookie in the request sent to the server. Only version 0 cookies are fully supported. [B]% D[/B] - Time taken to process the request, in microseconds. See [B]% T for[/B] more details . [B]% {VARNAME} e[/B] - Content of the VARNAME environment variable. [B]% f[/B] - File name. [B]% h[/B] - The name of the remote host. Will record the IP address if HostnameLookups is set to [B]Off[/B], this is the default. If you are only registering a hostname for a few hosts, you may have access control directives that refer to them by name. See the Require host documentation. This format is affected by modifications to the remote hostname by modules such as mod_remoteip. [B]% {c} h[/B] - Like [B]% h[/B], but always reports the hostname of the underlying TCP connection, not any modifications to the remote hostname by modules such as mod_remoteip. [B]% H[/B] - Request protocol. [B]% {VARNAME} i[/B] - Content VARNAME: header line (s) in the request sent to the server. Changes made by other modules (like mod_headers) affect this. If you are wondering what the request header was before most modules would change it, use mod_setenvif to copy the header into an internal environment variable and log the value of [B]% {VARNAME} e[/B] above. Examples of such variables: [B]% {Referer} i[/B] (referrer), [B]% {User-agent} i[/B] (user agent, browser). [B]% k[/B] - The number of keepalive requests processed for this connection. I wonder if KeepAlive is used, for example, "1" means the first keepalive request after the original, "2" means the second, and so on; otherwise, it is always 0 (indicating the initial request). [B]% l[/B] - The name of the remote log (from identd, if any). This will return a dash if mod_ident is not present and IdentityCheck is not set to [B]On[/B]. [B]% L[/B] - The ID of the query log from the error log (or "-" if nothing was logged in the error log for this query). Search for the corresponding error log line to see which query caused which error. [B]% {c} L[/B] - Connection log identifier from the error log (or "-" if nothing is written to the error log for this request). Search for the corresponding error log line to see which query caused which error. [B]% m[/B] - Request method. [B]% {VARNAME} n[/B] - Content of the VARNAME from another module. [B]% {VARNAME} o[/B] - Content VARNAME: header lines in the response. [B]% p[/B] - The canonical port of the server serving the request. [B]% {format} p[/B] - The canonical port of the server serving the request, or the actual port of the server, or the actual port of the client. Valid formats are [B]canonical[/B], [B]local,[/B] or [B]remote[/B] . [B]% P[/B] - The ID of the child process that served the request. [B]% {format} P[/B] - Process ID or child thread ID that serviced the request. Valid formats are [B]pid[/B], [B]tid,[/B] and [B]hextid[/B]. hextid requires APR 1.2.0 or higher. [B]% q[/B] - Query string (prefixed with [B]?[/B] if query string exists, otherwise empty string). [B]% r[/B] - First line of the query [B]% R[/B] - The handler that generates the response (if any). [B]% s[/B] - Status. For requests that were internally redirected, this is the status of the original request. Use [B]%> s[/B] for final status. [B]% t[/B] - Time when the request was received in the format [18 / Sep / 2011: 19: 18: 28 -0400]. The last number indicates the time zone offset from GMT [B]% {format} t[/B] - Time in the form specified by the format, which should be in extended strftime (3) format (possibly localized). If the format starts with begin: (default) time is taken at the beginning of request processing. If it starts with end: this is the logging time, near the end of the request processing. In addition to the formats supported by strftime (3), the following format markers are supported: [B]sec[/B] number of seconds since the beginning of the Age [B]msec[/B] number of milliseconds since the beginning of the Age [B]usec[/B] microseconds since the beginning of the Age [B]msec_frac[/B] fractions of milliseconds [B]usec_frac[/B] fractions of microseconds These tokens on the same format string cannot be combined with each other or with strftime (3) formatting. You can use multiple [B]% {format} t[/B] tokens instead . Example: [B]% {% d /% b /% Y% T} t.% {Msec_frac} t% {% z} t % T[/B] - Time taken to service the request, in seconds. The measured time starts when the HTTP server reads the first line of the HTTP request from the host operating system and ends when the last byte of the response is written by the HTTP server to the host operating system. Measured time does not include any of the following: [LIST] [*]Time spent on TCP or TLS handshakes. [*]Time before the web server thread can read the first line of the request. [*]Delays in the issuance of response data by the operating system to the network. [*]The time it takes to receive a response at the client's host. [*]The time taken by the user agent to read and process the response. [/LIST] [B]% {UNIT} T[/B] - Time spent serving the request, in units of time specified by UNIT. Valid units are [B]ms[/B] for milliseconds, [B]us[/B] for microseconds, and [B]s[/B] for seconds. Using s gives the same result as [B]% T[/B] without any format; Use gives us the same result as the [B]% D[/B]. Combining [B]% T[/B] with a unit is available in 2.4.13 and later. [B]% u[/B] - Remote user if the request was authenticated. May be bogus if return status ([B]% s[/B]) is 401 (not authorized). [B]% U[/B] - The requested URL path, not including the query string. [B]% v[/B] - The canonical ServerName of the server serving the request. [B]% V[/B] - Server name according to the UseCanonicalName setting. [B]% X[/B] - The state of the connection when the response is complete: X = The connection was terminated before the answer was completed. + = The connection can remain active after sending a response. - = The connection will be closed after sending the response. [B]% I[/B] - Bytes received, including request and headers. There cannot be zero. You must enable [URL='https://vk.com/away.php?to=http%3A%2F%2Fhttpd.apache.org%2Fdocs%2Ftrunk%2Fmod%2Fmod_logio.html&cc_key=']mod_logio[/URL] to use this. [B]% O[/B] - Bytes sent, including headers. It can be zero in rare cases, for example, when the request is interrupted before sending a response. You must enable mod_logio to use this. [B]% S[/B] - Transmitted (received and sent) bytes, including request and headers, cannot be zero. It is a combination of% I and% O. You must enable mod_logio to use this. [B]% {VARNAME} ^ ti[/B] - VARNAME content: trailer strings in the request sent to the server. [B]% {VARNAME} ^ to[/B] - Content of VARNAME: trailer strings in the request sent from the server. [B]Modifiers[/B] Individual items can be restricted to print only for responses with specific HTTP status codes by placing a comma-separated list of status codes immediately after the " [B]%[/B] ". The status code list may be preceded by " [B]![/B] " To indicate negation. The "[B]<[/B] "and" [B]>[/B]" modifiers are used to choose whether to write the original or final query. This can be used for requests that have been redirected internally. By default, the [B]% s[/B], [B]% U[/B], [B]% T[/B], [B]% D,[/B] and [B]% r[/B] directives look at the original request and everyone else looks at the final request. So, for example, [B]%> s[/B] can be used to record the final state of a request, and [B]% <u[/B] can be used to record the original authenticated user on a request internally redirected to an unauthenticated resource. [/QUOTE]
Name
Verification
Post reply
Home
Forums
CARDING & HACKING
HOSTING & BOTNET
Apache logs 2023
Top