Fixing the Apache Log Format

🌳 Evergreen

The following was one of those things I let slide for a long time because the time you notice it is really not the time to be changing it.

In my Apache configs I had plenty of CustomLog directives to set the log file name for each web domain I have. At the end of every one of them was the word combined which I knew to be a specification of the format of log records. What I learned today is that combined is a default that’s defined in the main httpd.conf file like this:

LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined

The problem I have with this is what %t does — it produces a timestamp like this: - - [08/Oct/2021:18:42:38 +0000] "HEAD / HTTP/1.1" 200 ...

Apart from slightly offending my sensibilities with that odd date format, the bigger problem is the colon after the year. If I was grepping the log for events that happened at 21:18 (18 minutes past 9pm) the above line would match even though it is actually timed at 18:42! The problem goes away in a few years I guess, but there had to be a better way. What I discovered was that %t has the ability to be very specific with time format.

So I defined a new LogFormat:

LogFormat "%{%Y-%m-%d %H:%M:%S %z}t %h %l %u \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" sane

Now my log entries come out like this:

2021-10-08 21:12:38 +0000 - - "HEAD / HTTP/1.1" 200 ...

Notice I also put the timestamp at the front of the line which seems more logical to me. Now I can very easily grep for any time units, e.g. ' 21:' for the hour, ' 21:12:' for the minute. And I can even grep for multiple days (notwithstanding a daily log rotate) in the same way.

Did you spot the name I gave to my new log format? 🙂