httpd log files

DHenrique · 09-03-2013, 08:57 AM

I am trying to get a simple explaination of the difference in what is being logged in the access_log as opposed to the ssl_access_log and ssl_request_log. The server host several sites and VHosts several others. What I am trying to determine is where the administrators, web developers and or back end loggins are being recorded to get the IP of those accessing. I am not looking for web browsers who are visiting the sites hosted on the server, only logs of those accountable for the sites. The httpd log folder also containes suexec_log files and modsec_audit and debug logs. Any help would be appreciated. This is an Apache Red Hat server.

BobMCT · 09-03-2013, 12:16 PM

Hmmm,

I'm not aware of any before logging filtering ability, but if you know your developers' and maintainer's IP addresses (and you should) you can use grep and/or awk to extract those entries from the logs. Also, it is possible and my recommendation, if you host multiple sites, to have separate log files and/or directories for each site. That keeps your housekeeping somewhat sane.

Good luck -

DHenrique · 09-03-2013, 12:25 PM

Thanks for the reply, but I think my question was confusing. I know all logs can be configured in any way, but if I was to tell someone the ssl_access_log documents ____________ and the access_log documents ______________, what would I tell that person.

BobMCT · 09-03-2013, 01:00 PM

I've always used both and see the same types of entries (access & page requests) in both files. Only the non-ssl are found in the access.log (or whatever you've called it) and the ssl are found in the ssl_access.log (again, whatever you called it.

After studying the content logs for a while you will be come more familiar with what's placed in there. Also, there is a mechanism to more finely control what gets logged, either more or less. Don't forget, there are also error logs that tell a story as well.

Look through this page and page down to access.log contents
http://httpd.apache.org/docs/2.4/logs.html

Hope this helps somewhat.

danstoner · 09-04-2013, 07:36 AM

DHenrique - Without seeing into your actual conf lines that configure the logging on your server, we can only guess.

I am guessing that your access_log records web requests that came in on port 80 and ssl_access_log records requests that came in on port 443.

So, a request to http://yoursite would get logged to access_log, a request to https://yoursite would get logged to ssl_access_log. That's really the only difference... unless your config files specify different logging formats for one or the other.

Apache matches a web request to a particular vhost and if that vhost has an access log configured, the line will get logged there. If no log file is specified for a vhost, the log lines would go to the default log file (access_log).

On Red Hat flavors, start here and find out how those log files are specified.

/etc/httpd/conf/httpd.conf

- Dan Stoner