Apache access log is formatted incorrectly
up vote
1
down vote
favorite
I'm trying to add a monitoring system to parse my Apache logs. I'm running on an AWS Elastic Beanstalk AMI (Amazon Linux, ami-655e8e0a).
Looking at my apache conf file (/etc/httpd/conf/httpd.conf) there's the following snippet:
<IfModule log_config_module>
#
# The following directives define some format nicknames for use with
# a CustomLog directive (see below).
#
LogFormat "%h %l %u %t "%r" %>s %b "%{Referer}i" "%{User-Agent}i"" combined
LogFormat "%h %l %u %t "%r" %>s %b" common
<IfModule logio_module>
# You need to enable mod_logio.c to use %I and %O
LogFormat "%h %l %u %t "%r" %>s %b "%{Referer}i" "%{User-Agent}i" %I %O" combinedio
</IfModule>
#
# The location and format of the access logfile (Common Logfile Format).
# If you do not define any access logfiles within a <VirtualHost>
# container, they will be logged here. Contrariwise, if you *do*
# define per-<VirtualHost> access logfiles, transactions will be
# logged therein and *not* in this file.
#
#CustomLog "logs/access_log" common
#
# If you prefer a logfile with access, agent, and referer information
# (Combined Logfile Format) you can use the following directive.
#
CustomLog "logs/access_log" combined
</IfModule>
A sample actual log line looks like:
1.2.3.4 (-) - - [11/Nov/2018:06:41:59 +0000] "GET /myproj/ HTTP/1.1" 200 1500 "-" "ELB-HealthChecker/2.0"
Looking at the definition of the 'combined' format in the conf file, it looks like there should be only two fields between the IP address (%h) and the timestamp (%t), but I count three (the "(-)" and the two "-"). This causes the monitoring system's default Apache log parser to fail.
Firstly, this hyphen in parenthesis is strange - why is it in parenthesis? Secondly, why are there three fields instead of two? Thirdly, when I edit the line for the 'combined' LogFormat in the conf file, it doesn't change the actual logs.
The only workaround I found was to create a new LogFormat with a different name and change the CustomLog to work with it instead of with the 'combined' LogFormat. It looks just like the 'combined' LogFormat line, except it has a different name, yet the logs come out fine with it - without that extra '(-)' part, i.e.:
LogFormat "%h %l %u %t "%r" %>s %b "%{Referer}i" "%{User-Agent}i"" combined
LogFormat "%h %l %u %t "%r" %>s %b "%{Referer}i" "%{User-Agent}i"" mytestformat
CustomLog "logs/access_log" mytestformat
How come the actual default 'combined' definition is adding this strange '(-)'? Where is it coming from? And why is it impossible to change it?
Thanks.
apache amazon-web-services logging amazon-elastic-beanstalk
asked Nov 11 at 7:33
E.K.
1619
add a comment |
up vote
1
down vote
favorite
I'm trying to add a monitoring system to parse my Apache logs. I'm running on an AWS Elastic Beanstalk AMI (Amazon Linux, ami-655e8e0a).
Looking at my apache conf file (/etc/httpd/conf/httpd.conf) there's the following snippet:
<IfModule log_config_module>
#
# The following directives define some format nicknames for use with
# a CustomLog directive (see below).
#
LogFormat "%h %l %u %t "%r" %>s %b "%{Referer}i" "%{User-Agent}i"" combined
LogFormat "%h %l %u %t "%r" %>s %b" common
<IfModule logio_module>
# You need to enable mod_logio.c to use %I and %O
LogFormat "%h %l %u %t "%r" %>s %b "%{Referer}i" "%{User-Agent}i" %I %O" combinedio
</IfModule>
#
# The location and format of the access logfile (Common Logfile Format).
# If you do not define any access logfiles within a <VirtualHost>
# container, they will be logged here. Contrariwise, if you *do*
# define per-<VirtualHost> access logfiles, transactions will be
# logged therein and *not* in this file.
#
#CustomLog "logs/access_log" common
#
# If you prefer a logfile with access, agent, and referer information
# (Combined Logfile Format) you can use the following directive.
#
CustomLog "logs/access_log" combined
</IfModule>
A sample actual log line looks like:
1.2.3.4 (-) - - [11/Nov/2018:06:41:59 +0000] "GET /myproj/ HTTP/1.1" 200 1500 "-" "ELB-HealthChecker/2.0"
Looking at the definition of the 'combined' format in the conf file, it looks like there should be only two fields between the IP address (%h) and the timestamp (%t), but I count three (the "(-)" and the two "-"). This causes the monitoring system's default Apache log parser to fail.
Firstly, this hyphen in parenthesis is strange - why is it in parenthesis? Secondly, why are there three fields instead of two? Thirdly, when I edit the line for the 'combined' LogFormat in the conf file, it doesn't change the actual logs.
The only workaround I found was to create a new LogFormat with a different name and change the CustomLog to work with it instead of with the 'combined' LogFormat. It looks just like the 'combined' LogFormat line, except it has a different name, yet the logs come out fine with it - without that extra '(-)' part, i.e.:
LogFormat "%h %l %u %t "%r" %>s %b "%{Referer}i" "%{User-Agent}i"" combined
LogFormat "%h %l %u %t "%r" %>s %b "%{Referer}i" "%{User-Agent}i"" mytestformat
CustomLog "logs/access_log" mytestformat
How come the actual default 'combined' definition is adding this strange '(-)'? Where is it coming from? And why is it impossible to change it?
Thanks.
apache amazon-web-services logging amazon-elastic-beanstalk
asked Nov 11 at 7:33
E.K.
1619
Update - I just realized that the "(-)" is where the public IP address of the client goes (in my sample log it's an internal request, so there is no public IP), while the IP address at the beginning of the line is that of the load balancer. Still the question remains - where is that configured, and how can I change it to fit my monitoring system's parser.
– E.K.
Nov 11 at 8:28
add a comment |
up vote
1
down vote
favorite
up vote
1
down vote
favorite
I'm trying to add a monitoring system to parse my Apache logs. I'm running on an AWS Elastic Beanstalk AMI (Amazon Linux, ami-655e8e0a).
Looking at my apache conf file (/etc/httpd/conf/httpd.conf) there's the following snippet:
<IfModule log_config_module>
#
# The following directives define some format nicknames for use with
# a CustomLog directive (see below).
#
LogFormat "%h %l %u %t "%r" %>s %b "%{Referer}i" "%{User-Agent}i"" combined
LogFormat "%h %l %u %t "%r" %>s %b" common
<IfModule logio_module>
# You need to enable mod_logio.c to use %I and %O
LogFormat "%h %l %u %t "%r" %>s %b "%{Referer}i" "%{User-Agent}i" %I %O" combinedio
</IfModule>
#
# The location and format of the access logfile (Common Logfile Format).
# If you do not define any access logfiles within a <VirtualHost>
# container, they will be logged here. Contrariwise, if you *do*
# define per-<VirtualHost> access logfiles, transactions will be
# logged therein and *not* in this file.
#
#CustomLog "logs/access_log" common
#
# If you prefer a logfile with access, agent, and referer information
# (Combined Logfile Format) you can use the following directive.
#
CustomLog "logs/access_log" combined
</IfModule>
A sample actual log line looks like:
1.2.3.4 (-) - - [11/Nov/2018:06:41:59 +0000] "GET /myproj/ HTTP/1.1" 200 1500 "-" "ELB-HealthChecker/2.0"
Looking at the definition of the 'combined' format in the conf file, it looks like there should be only two fields between the IP address (%h) and the timestamp (%t), but I count three (the "(-)" and the two "-"). This causes the monitoring system's default Apache log parser to fail.
Firstly, this hyphen in parenthesis is strange - why is it in parenthesis? Secondly, why are there three fields instead of two? Thirdly, when I edit the line for the 'combined' LogFormat in the conf file, it doesn't change the actual logs.
The only workaround I found was to create a new LogFormat with a different name and change the CustomLog to work with it instead of with the 'combined' LogFormat. It looks just like the 'combined' LogFormat line, except it has a different name, yet the logs come out fine with it - without that extra '(-)' part, i.e.:
LogFormat "%h %l %u %t "%r" %>s %b "%{Referer}i" "%{User-Agent}i"" combined
LogFormat "%h %l %u %t "%r" %>s %b "%{Referer}i" "%{User-Agent}i"" mytestformat
CustomLog "logs/access_log" mytestformat
How come the actual default 'combined' definition is adding this strange '(-)'? Where is it coming from? And why is it impossible to change it?
Thanks.
apache amazon-web-services logging amazon-elastic-beanstalk
asked Nov 11 at 7:33
E.K.
1619
I'm trying to add a monitoring system to parse my Apache logs. I'm running on an AWS Elastic Beanstalk AMI (Amazon Linux, ami-655e8e0a).
Looking at my apache conf file (/etc/httpd/conf/httpd.conf) there's the following snippet:
<IfModule log_config_module>
#
# The following directives define some format nicknames for use with
# a CustomLog directive (see below).
#
LogFormat "%h %l %u %t "%r" %>s %b "%{Referer}i" "%{User-Agent}i"" combined
LogFormat "%h %l %u %t "%r" %>s %b" common
<IfModule logio_module>
# You need to enable mod_logio.c to use %I and %O
LogFormat "%h %l %u %t "%r" %>s %b "%{Referer}i" "%{User-Agent}i" %I %O" combinedio
</IfModule>
#
# The location and format of the access logfile (Common Logfile Format).
# If you do not define any access logfiles within a <VirtualHost>
# container, they will be logged here. Contrariwise, if you *do*
# define per-<VirtualHost> access logfiles, transactions will be
# logged therein and *not* in this file.
#
#CustomLog "logs/access_log" common
#
# If you prefer a logfile with access, agent, and referer information
# (Combined Logfile Format) you can use the following directive.
#
CustomLog "logs/access_log" combined
</IfModule>
A sample actual log line looks like:
1.2.3.4 (-) - - [11/Nov/2018:06:41:59 +0000] "GET /myproj/ HTTP/1.1" 200 1500 "-" "ELB-HealthChecker/2.0"
Looking at the definition of the 'combined' format in the conf file, it looks like there should be only two fields between the IP address (%h) and the timestamp (%t), but I count three (the "(-)" and the two "-"). This causes the monitoring system's default Apache log parser to fail.
Firstly, this hyphen in parenthesis is strange - why is it in parenthesis? Secondly, why are there three fields instead of two? Thirdly, when I edit the line for the 'combined' LogFormat in the conf file, it doesn't change the actual logs.
The only workaround I found was to create a new LogFormat with a different name and change the CustomLog to work with it instead of with the 'combined' LogFormat. It looks just like the 'combined' LogFormat line, except it has a different name, yet the logs come out fine with it - without that extra '(-)' part, i.e.:
LogFormat "%h %l %u %t "%r" %>s %b "%{Referer}i" "%{User-Agent}i"" combined
LogFormat "%h %l %u %t "%r" %>s %b "%{Referer}i" "%{User-Agent}i"" mytestformat
CustomLog "logs/access_log" mytestformat
How come the actual default 'combined' definition is adding this strange '(-)'? Where is it coming from? And why is it impossible to change it?
Thanks.
apache amazon-web-services logging amazon-elastic-beanstalk
apache amazon-web-services logging amazon-elastic-beanstalk
asked Nov 11 at 7:33
E.K.
1619
asked Nov 11 at 7:33
E.K.
1619
asked Nov 11 at 7:33
E.K.
1619
asked Nov 11 at 7:33
E.K.
1619
asked Nov 11 at 7:33
E.K.
1619
1619
Update - I just realized that the "(-)" is where the public IP address of the client goes (in my sample log it's an internal request, so there is no public IP), while the IP address at the beginning of the line is that of the load balancer. Still the question remains - where is that configured, and how can I change it to fit my monitoring system's parser.
– E.K.
Nov 11 at 8:28
add a comment |
Update - I just realized that the "(-)" is where the public IP address of the client goes (in my sample log it's an internal request, so there is no public IP), while the IP address at the beginning of the line is that of the load balancer. Still the question remains - where is that configured, and how can I change it to fit my monitoring system's parser.
– E.K.
Nov 11 at 8:28
Update - I just realized that the "(-)" is where the public IP address of the client goes (in my sample log it's an internal request, so there is no public IP), while the IP address at the beginning of the line is that of the load balancer. Still the question remains - where is that configured, and how can I change it to fit my monitoring system's parser.
– E.K.
Nov 11 at 8:28
Update - I just realized that the "(-)" is where the public IP address of the client goes (in my sample log it's an internal request, so there is no public IP), while the IP address at the beginning of the line is that of the load balancer. Still the question remains - where is that configured, and how can I change it to fit my monitoring system's parser.
– E.K.
Nov 11 at 8:28
add a comment |
1 Answer
1
active
oldest
votes
up vote
1
down vote
Got it! It turns out that the EBS AMI has the /etc/httpd/conf.d/wsgi.conf file that overrides these settings. The last line in this file is:
LogFormat "%h (%{X-Forwarded-For}i) %l %u %t "%r" %>s %b "%{Referer}i" "%{User-Agent}i"" combined
I changed it to:
LogFormat "%{X-Forwarded-For}i %l %u %t "%r" %>s %b "%{Referer}i" "%{User-Agent}i"" combined
(removed the %h and the parenthesis around the X-Forwarded-For) and now everything is working well!
answered Nov 11 at 8:46
E.K.
1619
add a comment |
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
1
down vote
Got it! It turns out that the EBS AMI has the /etc/httpd/conf.d/wsgi.conf file that overrides these settings. The last line in this file is:
LogFormat "%h (%{X-Forwarded-For}i) %l %u %t "%r" %>s %b "%{Referer}i" "%{User-Agent}i"" combined
I changed it to:
LogFormat "%{X-Forwarded-For}i %l %u %t "%r" %>s %b "%{Referer}i" "%{User-Agent}i"" combined
(removed the %h and the parenthesis around the X-Forwarded-For) and now everything is working well!
answered Nov 11 at 8:46
E.K.
1619
add a comment |
up vote
1
down vote
Got it! It turns out that the EBS AMI has the /etc/httpd/conf.d/wsgi.conf file that overrides these settings. The last line in this file is:
LogFormat "%h (%{X-Forwarded-For}i) %l %u %t "%r" %>s %b "%{Referer}i" "%{User-Agent}i"" combined
I changed it to:
LogFormat "%{X-Forwarded-For}i %l %u %t "%r" %>s %b "%{Referer}i" "%{User-Agent}i"" combined
(removed the %h and the parenthesis around the X-Forwarded-For) and now everything is working well!
answered Nov 11 at 8:46
E.K.
1619
add a comment |
up vote
1
down vote
up vote
1
down vote
Got it! It turns out that the EBS AMI has the /etc/httpd/conf.d/wsgi.conf file that overrides these settings. The last line in this file is:
LogFormat "%h (%{X-Forwarded-For}i) %l %u %t "%r" %>s %b "%{Referer}i" "%{User-Agent}i"" combined
I changed it to:
LogFormat "%{X-Forwarded-For}i %l %u %t "%r" %>s %b "%{Referer}i" "%{User-Agent}i"" combined
(removed the %h and the parenthesis around the X-Forwarded-For) and now everything is working well!
answered Nov 11 at 8:46
E.K.
1619
Got it! It turns out that the EBS AMI has the /etc/httpd/conf.d/wsgi.conf file that overrides these settings. The last line in this file is:
LogFormat "%h (%{X-Forwarded-For}i) %l %u %t "%r" %>s %b "%{Referer}i" "%{User-Agent}i"" combined
I changed it to:
LogFormat "%{X-Forwarded-For}i %l %u %t "%r" %>s %b "%{Referer}i" "%{User-Agent}i"" combined
(removed the %h and the parenthesis around the X-Forwarded-For) and now everything is working well!
answered Nov 11 at 8:46
E.K.
1619
answered Nov 11 at 8:46
E.K.
1619
answered Nov 11 at 8:46
E.K.
1619
answered Nov 11 at 8:46
E.K.
1619
1619
add a comment |
add a comment |
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53246718%2fapache-access-log-is-formatted-incorrectly%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Update - I just realized that the "(-)" is where the public IP address of the client goes (in my sample log it's an internal request, so there is no public IP), while the IP address at the beginning of the line is that of the load balancer. Still the question remains - where is that configured, and how can I change it to fit my monitoring system's parser.
– E.K.
Nov 11 at 8:28