Information in Apache log files
Log files format
Every line in the log files of the Apache web server on our servers has the following fields:
| HOSTNAME | IP ADDRESS | - | HTTP USER | TIME | REQUEST | STATUS CODE | SIZE | REFERER | USER AGENT |
An explanation of every field is available in the table below:
| HOSTNAME | The name of your (sub)domain where the request was sent to. |
| IP ADDRESS | The IP address that initiated the request. |
| - | Not readable by the server. |
| HTTP USER | Here you will find the username for HTTP authorization. |
| TIME | The time the request was handled - exact date, time, and time zone of the server. |
| REQUEST | Shows the method used for the request (e.g. GET or POST), followed by the requested full resource (e.g. the path to an image); the protocol used for the request will be listed last (e.g. "HTTP/1.1"). |
| STATUS CODE | The status code that the server sent to the visitor. All 2** codes indicate that the request was handled successfully. 3** status codes indicate a redirection, 4** status codes indicate an error caused by the visitor, and 5** status codes indicate a server error. Full list of the status codes is available in the HTTP specification (RFC 9110 Section 15). |
| SIZE | The size in bytes of the data sent from the server to the visitor. |
| REFERER | The page the visitor is coming from will be listed here if any data is listed in the REFERER header of the request. |
| USER AGENT | Information about the browser (User-Agent) of the visitor. |
All requests are saved to a log file within your hosting account once per hour. A separate log file is created for every hostname (e.g. your_domain.com.log), so the respective HOSTNAME field in the log file is excluded from the log file. For better readability, the HOSTNAME field is displayed in the examples listed below in this article.
Examples
The first example shows a request from a visitor that searched the words "test" and "example" in google.com and clicked on a link to "http://www.example.com/index.php" from the results page of google.com:
www.example.com 64.14.68.138 - - [07/Jul/2019:08:38:50 -0400] "GET /index.php HTTP/1.1" 200 3242 "http://www.google.com/search?hl=en&q=test+example&btnG=Search" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.0.11) Gecko/2009060215 Firefox/3.0.11 (.NET CLR 3.5.30729)"
An explanation of every field is listed in the following table:
| HOSTNAME | www.example.com | The request was made to www.example.com. |
| IP ADDRESS | 64.14.68.138 | The request was made from IP address 64.14.68.138. |
| - | - | - |
| HTTP USER | - | No username/password was used as the requested resource does not require authorization. |
| TIME | [07/Jul/2019:08:38:50 -0400] | The request was handled at 8:38:50 GMT-4 on July 07, 2019. |
| REQUEST | "GET /index.php HTTP/1.1" | The resource was requested with the GET method, the requested resource is "/index.php", and the protocol was "HTTP/1.1." |
| STATUS CODE | 200 | The 200 status code indicates that the request was handled successfully. |
| SIZE | 3242 | The requested content sent to the visitor was 3242 bytes. |
| REFERER | "http://www.google.com/search?hl=en&q=test+example&btnG=Search" | The visitor came to the website "http://www.example.com/index.php" after searching for "test" and "example" on Google.com. |
| USER AGENT | "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.0.11) Gecko/2009060215 Firefox/3.0.11 (.NET CLR 3.5.30729)" | The visitor used the Mozilla Firefox browser as per the "Firefox/3.0.11" string. |
For the second example, there is a subdomain named protected.example.com, and a redirection is configured for it to another address via the hosting Control Panel > Redirect URL section. In addition, the protected.example.com subdomain is password protected via the hosting Control Panel > Protection section > Web access protection subsection.
A visitor opens the URL "http://protected.example.com" in their Internet Explorer browser. The visitor is presented with a prompt where they enter their alloweduser username and respective password for access to protected.example.com. After the successful authorization, the visitor is redirected to the URL configured via the hosting Control Panel > Redirect URL section. Only two lines will be listed in the Apache web server logs, and we will examine only the interesting fields for each request:
protected.example.com 64.14.68.139 - - [07/Jul/2019:09:40:10 -0400] "GET / HTTP/1.1" 401 409 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)"
| HTTP USER | - | The username is not listed here as the server responds with the authorization prompt to this initial request. |
| STATUS CODE | 401 | The server returns a 401 status code as the visitor has to authenticate with a valid username and password to access the protected.example.com subdomain. |
| USER AGENT | "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)" | The visitor uses the Internet Explorer browser as per the "MSIE 7.0" string. |
The second string is for the password prompt:
protected.example.com 64.14.68.139 - alloweduser [07/Jul/2019:09:40:32 -0400] "GET / HTTP/1.1" 302 237 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)"
| HTTP USER | alloweduser | The username provided in the authorization prompt is "alloweduser." |
| STATUS CODE | 302 | The server returns a 302 status code as the visitor is redirected to another address after the successful authentication. |