Apache/NCSA Custom Log Format:
The format argument to the LogFormat and CustomLog directives is a string. This string is used to log each request to the log file. It can contain literal characters copied into the log files and the C-style control characters "\n" and "\t" to represent new-lines and tabs. Literal quotes and back-slashes should be escaped with back-slashes.
The characteristics of the request itself are logged by placing "%" directives in the format string, which are replaced in the log entry by the values as follows:
| Format String |
Description |
| %% |
The percent sign |
| %a |
Remote IP-address |
| %A |
Local IP-address |
| %B |
Size of response in bytes, excluding HTTP headers. |
| %b |
Size of response in bytes, excluding HTTP headers. In CLF format, i.e. a '-' rather than a 0 when no bytes are sent. |
| %{Foobar}C |
The contents of cookie Foobar in the request sent to the server. |
| %D |
The time taken to serve the request, in microseconds. |
| %{FOOBAR}e |
The contents of the environment variable FOOBAR |
| %f |
Filename |
| %h |
Remote host |
| %H |
The request protocol |
| %{Foobar}i |
The contents of Foobar: header line(s) in the request sent to the server. |
| %l |
Remote logname (from identd, if supplied). This will return a dash unless mod_ident is present and IdentityCheck is set On. |
| %m |
The request method |
| %{Foobar}n |
The contents of note Foobar from another module. |
| %{Foobar}o |
The contents of Foobar: header line(s) in the reply. |
| %p |
The canonical port of the server serving the request |
| %P |
The process ID of the child that serviced the request. |
| %{format}P |
The process ID or thread id of the child that serviced the request. Valid formats are pid, tid, and hextid. hextid requires APR 1.2.0 or higher. |
| %q |
The query string (prepended with a ? if a query string exists, otherwise an empty string) |
| %r |
First line of request |
| %s |
Status. For requests that got internally redirected, this is the status of the *original* request --- %>s for the last. |
| %t |
Time the request was received (standard english format) |
| %{format}t |
The time, in the form given by format, which should be in strftime(3) format. (potentially localized) |
| %T |
The time taken to serve the request, in seconds. |
| %u |
Remote user (from auth; may be bogus if return status (%s) is 401) |
| %U |
The URL path requested, not including any query string. |
| %v |
The canonical ServerName of the server serving the request. |
| %V |
The server name according to the UseCanonicalName setting. |
| %X |
Connection status when response is completed:
| X = |
connection aborted before the response completed. |
| + = |
connection may be kept alive after the response is sent. |
| - = |
connection will be closed after the response is sent. |
(This directive was %c in late versions of Apache 1.3, but this conflicted with the historical ssl %{var}c syntax.) |
| %I |
Bytes received, including request and headers, cannot be zero. You need to enable mod_logio to use this. |
|
The "..." can be nothing at all (e.g., "%h %u %r %s %b"), or it can indicate conditions for inclusion of the item (which will cause it to be replaced with "-" if the condition is not met). The forms of condition are a list of HTTP status codes, which may or may not be preceded by "!". Thus, "%400,501{User-agent}i" logs User-agent: on 400 errors and 501 errors (Bad Request, Not Implemented) only; "%!200,304,302{Referer}i" logs Referer: on all requests which did not return some sort of normal status.
Note that in versions previous to 1.3.25 no escaping was performed on the strings from %...r, %...i and %...o. This was mainly to comply with the requirements of the Common Log Format. This implied that clients could insert control characters into the log, so you had to be quite careful when dealing with raw log files.
For security reasons starting with 1.3.25 non-printable and other special characters are escaped mostly by using \xhh sequences, where hh stands for the hexadecimal representation of the raw byte. Exceptions from this rule are " and \ which are escaped by prepending a backslash, and all whitespace characters that are written in their C-style notation (\n, \t, etc).
Some commonly used log format strings are:
- Common Log Format (CLF)
- "%h %l %u %t \"%r\" %>s %b"
- Common Log Format with Virtual Host
- "%v %h %l %u %t \"%r\" %>s %b"
- NCSA extended/combined log format
- "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\""
- Referer log format
- "%{Referer}i -> %U"
- Agent (Browser) log format
- "%{User-agent}i"
Please view Apache Module mod_log_config for more information.
Nihuo Web Log Analyzer also supports other log formats; See the list containing Apache/NCSA Common Log Format and all other supported formats. Please give
try, you will find the best Apache log analyzer and the best IIS log file analyzer in the world.
