自定义apache日志

http.conf 中相关内容

#
# The following directives define some format nicknames for use with
# a CustomLog directive (see below).

[@more@]

http.conf 中相关内容

#
# The following directives define some format nicknames for use with
# a CustomLog directive (see below).
#
LogFormat "%h %l %u %t "%r" %>s %b "%{Referer}i" "%{User-Agent}i"" combined
#SetEnvIf Request_URI .gif$ image-request
#SetEnvIf Request_URI .ico$ image-request
LogFormat "%h %l %u %t "%r" %>s %b" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent

#
# The location and format of the access logfile (Common Logfile Format).
# If you do not define any access logfiles within a
# container, they will be logged here. Contrariwise, if you *do*
# define per- access logfiles, transactions will be
# logged therein and *not* in this file.
#
CustomLog logs/access_log combined

默认日志例子
60.1.99.116 - - [05/Dec/2005:09:32:59 +0800] "GET /Message/ContactSelect HTTP/1.1" 200 7480 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"

%...a Remote IP-address
%...A Local IP-address
%...B Size of response in bytes, excluding HTTP headers.
%...b Size of response in bytes, excluding HTTP headers. In CLF format, i.e. a '-' rather than a 0 when no bytes are sent.
%...{Foobar}C The contents of cookie Foobar in the request sent to the server.
%...D The time taken to serve the request, in microseconds.
%...{FOOBAR}e The contents of the environment variable FOOBAR
%...f Filename
%...h Remote host
%...H The request protocol
%...{Foobar}i The contents of Foobar: header line(s) in the request sent to the server.
%...l Remote logname (from identd, if supplied). This will return a dash unless IdentityCheck is set On.
%...m The request method
%...{Foobar}n The contents of note Foobar from another module.
%...{Foobar}o The contents of Foobar: header line(s) in the reply.
%...p The canonical port of the server serving the request
%...P The process ID of the child that serviced the request.
%...{format}P The process ID or thread id of the child that serviced the request. Valid formats are pid and tid. (Apache 2.0.46 and later)
%...q The query string (prepended with a ? if a query string exists, otherwise an empty string)
%...r First line of request
%...s Status. For requests that got internally redirected, this is the status of the *original* request --- %...>s for the last.
%...t Time the request was received (standard english format)
%...{format}t The time, in the form given by format, which should be in strftime(3) format. (potentially localized)
%...T The time taken to serve the request, in seconds.
%...u Remote user (from auth; may be bogus if return status (%s) is 401)
%...U The URL path requested, not including any query string.
%...v The canonical ServerName of the server serving the request.
%...V The server name according to the UseCanonicalName setting.
%...X Connection status when response is completed:
X = connection aborted before the response completed.
+ = connection may be kept alive after the response is sent.
- = connection will be closed after the response is sent.

(This directive was %...c in late versions of Apache 1.3, but this conflicted with the historical ssl %...{var}c syntax.)
%...I Bytes received, including request and headers, cannot be zero. You need to enable mod_logio to use this.
%...O Bytes sent, including headers, cannot be zero. You need to enable mod_logio to use this.

%...a: 远程IP地址
%...A: 本地IP地址
%...B: 已发送的字节数，不包含HTTP头
%...b: CLF格式的已发送字节数量，不包含HTTP头。例如当没有发送数据时，写入‘-’而不是0。
%...{Foobar}C 发送给服务器的Cookie Foobar的内容
%...D: 服务器请求时间，微秒
%...{FOOBAR}e: 环境变量FOOBAR的内容
%...f: 文件名字
%...h: 远程主机
%...H 请求的协议
%...{Foobar}i: Foobar的内容，发送给服务器的请求的标头行。
%...l: 远程登录名字（来自identd，如提供的话）
%...m 请求的方法
%...{Foobar}n: 来自另外一个模块的注解“Foobar”的内容
%...{Foobar}o: Foobar的内容，应答的标头行
%...p: 服务器响应请求时使用的端口
%...P: 响应请求的子进程ID。
%...{format}P 服务器的子进程ID,或者线程id，可利用的格式是pid或者tid. (Apache 2.0.46 and later)
%...q 查询字符串（如果存在查询字符串，则包含“?”后面的部分；否则，它是一个空字符串。）
%...r: 请求的第一行
%...s: 状态。对于进行内部重定向的请求，这是指*原来*请求 的状态。如果用%...>s，则是指后来的请求。
%...t: 以公共日志时间格式表示的时间（或称为标准英文格式）
%...{format}t: 以指定格式format表示的时间
%...T: 为响应请求而耗费的时间，以秒计
%...u: 远程用户（来自auth；如果返回状态（%s）是401则可能是伪造的）
%...U: 用户所请求的URL路径
%...v: 响应请求的服务器的ServerName
%...V: 依照UseCanonicalName设置得到的服务器名字
%...X 响应完成后的连接状态。
X = 在请求完成之前，连接忽略。
+ = 在请求发送后，连接保持。
- = 请求发送后连接关闭。

(This directive was %...c in late versions of Apache 1.3, but this conflicted with the historical ssl %...{var}c syntax.)
%...I 接收字节，包括请求和头。不能为0。你需要启用mod_logio.
%...O 发送字节，包括头。不能为0。你需要启用mod_logio.

Referer log format Referer日值格式
"%{Referer}i -> %U"
Agent (Browser) log format 代理(浏览器)日值格式
"%{User-agent}i"

在所有上面列出的变量中，“...”表示一个可选的条件。如果没有指定条件，则变量的值将以“-”取代。分析前面来自默认httpd.conf文件的 LogFormat指令示例，可以看出它创建了一种名为“common”的日志格式，其中包括：远程主机，远程登录名字，远程用户，请求时间，请求的第一行代码，请求状态，以及发送的字节数。

　　有时候我们只想在日志中记录某些特定的、已定义的信息，这时就要用到“...”。如果在“%”和变量之间放入了一个或者多个HTTP状态代码，则只有当请求返回的状态代码属于指定的状态代码之一时，变量所代表的内容才会被记录。例如，如果我们想要记录的是网站的所有无效链接，那么可以使用：

LogFormat %404{Referer}i BrokenLinks

　　 反之，如果我们想要记录那些状态代码不等于指定值的请求，只需加入一个“!”符号即可：

LogFormat %!200U SomethingWrong

修改后的LogFormat格式
LogFormat "%h %l %u %t "%r" %>s %b "%{Referer}i" "%{User-Agent}i"" combined
LogFormat "%a %l %u %t "%r" %>s %b %D "%{Referer}i" "%{User-Agent}i"" combined

LogFormat "%a %l %u %t "%r" %>s %b %D %t %T "%{Referer}i" "%{User-Agent}i"" combined
192.168.1.170 - - [23/Feb/2006:14:59:43 +0800] "GET / HTTP/1.1" 200 1018 27808 [23/Feb/2006:14:59:43 +0800] 0 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.2; zh-CN; rv:1.8.0.1) Gecko/20060111 Firefox/1.5.0.1"
192.168.1.170 - - [23/Feb/2006:14:59:45 +0800] "GET / HTTP/1.1" 304 - 1598 [23/Feb/2006:14:59:45 +0800] 0 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.2; zh-CN; rv:1.8.0.1) Gecko/20060111 Firefox/1.5.0.1"
192.168.1.170 - - [23/Feb/2006:15:04:04 +0800] "GET /awstats/awstats.pl?config=www.sxsino.com HTTP/1.1" 200 982 3400937 [23/Feb/2006:15:04:04 +0800] 3 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.2; zh-CN; rv:1.8.0.1) Gecko/20060111 Firefox/1.5.0.1"
192.168.1.170 - - [23/Feb/2006:15:04:07 +0800] "GET /awstats/awstats.pl?config=www.sxsino.com&framename=mainleft HTTP/1.1" 200 10334 5123567 [23/Feb/2006:15:04:07 +0800] 5 " http://192.168.1.20:81/awstats/awstats.pl?config=www.sxsino.com" "Mozilla/5.0 (Windows; U; Windows NT 5.2; zh-CN; rv:1.8.0.1) Gecko/20060111 Firefox/1.5.0.1"
192.168.1.170 - - [23/Feb/2006:15:04:07 +0800] "GET /awstats/awstats.pl?config=www.sxsino.com&framename=mainright HTTP/1.1" 200 74810 5677808 [23/Feb/2006:15:04:07 +0800] 5 " http://192.168.1.20:81/awstats/awstats.pl?config=www.sxsino.com" "Mozilla/5.0 (Windows; U; Windows NT 5.2; zh-CN; rv:1.8.0.1) Gecko/20060111 Firefox/1.5.0.1"

LogFormat "%a %l %u %t "%r" %>s %b %D %t %T %X %p %{pid,tid}p "%{Referer}i" "%{User-Agent}i"" combined
192.168.1.170 - - [23/Feb/2006:15:13:47 +0800] "GET /awstats/awstats.pl?config=www.sxsino.com&framename=mainleft HTTP/1.1" 200 10334 4957010 [23/Feb/2006:15:13:47 +0800] 4 + 80 80 " http://192.168.1.20:81/awstats/awstats.pl?config=www.sxsino.com" "Mozilla/5.0 (Windows; U; Windows NT 5.2; zh-CN; rv:1.8.0.1) Gecko/20060111 Firefox/1.5.0.1"
192.168.1.170 - - [23/Feb/2006:15:13:47 +0800] "GET /awstats/awstats.pl?config=www.sxsino.com&framename=mainright HTTP/1.1" 200 74810 5253296 [23/Feb/2006:15:13:47 +0800] 5 + 80 80 " http://192.168.1.20:81/awstats/awstats.pl?config=www.sxsino.com" "Mozilla/5.0 (Windows; U; Windows NT 5.2; zh-CN; rv:1.8.0.1) Gecko/20060111 Firefox/1.5.0.1"

修改后的日志格式
LogFormat "%a %l %u %t "%r" %>s %b %D %X %{pid}p %{tid}p "%{Referer}i" "%{User-Agent}i"" combined

# Enter here your log format (Must match your web server config. See setup
# instructions in documentation to know how to configure your web server to
# have the required log format).
# Possible values: 1,2,3,4 or "your_own_personalized_log_format"
# 1 - Apache or Lotus Notes/Domino native combined log format (NCSA combined/XLF/ELF log format)
# 2 - IIS or ISA format (IIS W3C log format). See FAQ-COM115 For ISA.
# 3 - Webstar native log format.
# 4 - Apache or Squid native common log format (NCSA common/CLF log format)
# With LogFormat=4, some features (browsers, os, keywords...) can't work.
# "your_own_personalized_log_format" = If your log is ftp, mail or other format,
# you must use following keys to define the log format string (See FAQ for
# ftp, mail or exotic web log format examples):
# %host Client hostname or IP address (or Sender host for mail log)
# %host_r Receiver hostname or IP address (for mail log)
# %lognamequot Authenticated login/user with format: "john"
# %logname Authenticated login/user with format: john
# %time1 Date and time with format: [dd/mon/yyyy:hh:mm:ss +0000] or [dd/mon/yyyy:hh:mm:ss]
# %time2 Date and time with format: yyyy-mm-dd hh:mm:ss
# %time3 Date and time with format: Mon dd hh:mm:ss or Mon dd hh:mm:ss yyyy
# %time4 Date and time with unix timestamp format: dddddddddd
# %methodurl Method and URL with format: "GET /index.html HTTP/x.x"
# %methodurlnoprot Method and URL with format: "GET /index.html"
# %method Method with format: GET
# %url URL only with format: /index.html
# %query Query string (used by URLWithQuery option)
# %code Return code status (with format for web log: 999)
# %bytesd Size of document in bytes
# %refererquot Referer page with format: " http://from.com/from.htm"
# %referer Referer page with format: http://from.com/from.htm
# %uabracket User agent with format: [Mozilla/4.0 (compatible, ...)]
# %uaquot User agent with format: "Mozilla/4.0 (compatible, ...)"
# %ua User agent with format: Mozilla/4.0_(compatible...)
# %gzipin mod_gzip compression input bytes: In:XXX
# %gzipout mod_gzip compression output bytes & ratio: Out:YYY:ZZpct.
# %gzipratio mod_gzip compression ratio: ZZpct.
# %deflateratio mod_deflate compression ratio with format: (ZZ)
# %email EMail sender (for mail log)
# %email_r EMail receiver (for mail log)
# %virtualname Web sever virtual hostname. Use this tag when same log
# contains data of several virtual web servers. AWStats
# will discard records not in SiteDomain nor HostAliases
# %cluster If log file is provided from several computers (merged by
# logresolvemerge.pl), use this to define cluster id field.
# %extraX Another field that you plan to use for building a
# personalized report with ExtraSection feature (See later).
# If your log format has some fields not included in this list, use:
# %other Means another not used field
# %otherquot Means another not used double quoted field
#
# Examples for Apache combined logs (following two examples are equivalent):
# LogFormat = 1
# LogFormat = "%host %other %logname %time1 %methodurl %code %bytesd %refererquot %uaquot"
#
# Example for IIS:
# LogFormat = 2
#

根据修改后的apache日志对应的awstats日志分析格式
#LogFormat=1
LogFormat = "%host %logname %time2 %methodurl %code %bytesd %other %other %other %other %refererquot %uaquot"

来自 “ ITPUB博客 ” ，链接：http://blog.itpub.net/556989/viewspace-906267/，如需转载，请注明出处，否则将追究法律责任。

转载于:http://blog.itpub.net/556989/viewspace-906267/