Reading Apache Log Files

When you have website errors or connection problems with your dedicated server, a good place to look for issues is the Apache log directory. There, you will find access logs, error logs, and others. On Red Hat Enterprise Linux, CentOS, and Fedora, the log files are typically located in /var/log/httpd. On Debian-based servers, they are usually in /var/log/apache2.

To quickly view the access log, you can type this string from the command line:

less access_log

This will let you scroll through the log entries line-by-line. The top of the file will show the earliest log entries, and the bottom will show the latest. With the “less” command, all normal paging functions, such as PageUP, PageDown, Home, and End allow you to easily navigate through large logs.

Apache log files normally have the following format:

host / ident / authuser /date / request / status / bites

For example, a line in your access log may look like: – – [04/Oct/2010:10:56:36 -0400] “GET /Joomla/installation/includes/js/installation.js HTTP/1.1” 200 738 “http://localhost/Joomla/installation/index.php” “Mozilla/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit/534.3 (KHTML, like Gecko) Chrome/6.0.472.55 Safari/534.3”

As you can see, this one differs slightly from the default by including the user agent information. The log file format is configurable, meaning you can make it look however you want.

If you only need to see the end of your log file, use the tail command:

tail error_log

If you want to find specific information in a log file, you can search it using this string:

cat error_log | grep

In the above example, any line with the given ip address will be shown. If it is a particularly long output, you can use less to scroll through it:

cat error_log | grep | less

To save the output to a file, use:

cat error_log | grep > suspicious-ip.txt

Most servers will regularly rotate log files to keep them from getting too large. When a new log file is created, the old one is compressed and stored in the same directory. Therefore, you may see access.log, access.log.1, access.log.2.gz, access.log.3.gz, etc.