Apache Security - Ivan Ristic [102]
Format string
Description
%%
The percent sign
%...a
Remote IP address
%...A
Local IP address
%...B
Bytes sent (excluding headers)
%...b
Bytes sent (excluding headers); a dash (-) is used instead of a zero
%...{ Name }C
The contents of the cookie Name
%...D
Time taken to serve the request, in microseconds (Apache 2 only)
%...{ Name }e
The contents of the environment variable Name
%...f
Filename
%...h
Remote host
%...H
Request protocol
%...{ Name }i
The contents of the request header Name
%...l
Remote log name (from identd)
%...m
Request method
%...{ Name }n
Contents of the note Name
%...{ Name }o
Contents of the response header Name
%...p
Canonical port of the server
%...P
Process ID
%...{ Format }P
Depending on Format, Process ID (pid) or thread ID (tid)
%...q
Query string
%...r
Request line
%...s
Response status
%...t
Time, in common log format
%...{ Format }t
Time, in custom format
%...T
Time taken to serve the request, in seconds
%...u
Remote user
%...U
The URL, excluding the query string
%...v
Canonical server name
%...V
Server name according to UseCanonicalName directive
%...X
Connection status at the end of the request ("X" for aborted, "+" for persistent, and "-" for closed)
You have a lot of fields to play with. Format strings support optional parameters, as represented by the " . . . " in each format string representation in the table. Optional parameters can be used for the following actions:
Conditionally include the format item in the log line. If the parameter consists of a list of (comma-separated) HTTP status codes, the item will be included only if the response status code was one of the specified ones. Otherwise, a "-" will be placed in the output. For example, to log bytes sent only for requests with responses 200 or 404, use %200,404B. An exclamation mark preceding the status codes is used for negation. That is, the item will be included only if the response status code is not one of the ones specified after the exclamation mark. For example, to omit logging the request line when the request was rejected due to the request line being too long, use %!414r. (This comes in handy to prevent the logs from growing too quickly.)
Access values of fields from internally redirected requests, when the parameter is < for the original request or > for the last request in the chain. By default, the %s format string refers to the status of the original request, and you can use %>s to record the status of the last request in the chain.
Apache modules can collaborate on logging if they create a named note (a text string) and attach it to the request. If the %{note}n format string is used, the contents of the note will be written to the log. A change in the Apache architecture in the second generation allows for modules to collaborate and provide custom format strings. These format strings are available if the module that provides them is included in the configuration. (See Table 8-2.)
Table 8-2. Format string directives available only in Apache 2
Format string
Module
Description
%I
mod_logio
Total bytes received, on a network level
%O
mod_logio
Total bytes sent, on a network level
%{ Variable }x
mod_ssl
The contents of the variable Variable
%{ Variable }c
mod_ssl
Deprecated cryptography format function, included for backward compatibility with mod_ssl 1.3.x
With the inclusion of mod_logio, you can measure the number of bytes transferred for every request. This feature allows hosting providers to put accurate billing mechanisms in place. (With Apache 1, you can only record the size of the response body, leaving request headers, request body, and response headers unmeasured.)
Now that you are familiar with format strings, look at commonly used log formats (see Table 8-3). (You