Fixing the Apache Log Format

🌿 Budding
Planted: 9 Oct, 2021
Last tended: 7 Jul, 2022

Today I finally got around to something I’ve been meaning to do for sooo long. One of those things where the time you notice it is really not the time to be changing it.

In my Apache configs I have plenty of CustomLog directives to set the log file name for each web domain I have. At the end of every one of them was the word combined which I knew to be a specification of the format of log records. What I learned today is that combined is a default that’s defined in the main httpd.conf file like this:

LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined

The problem I have with this is what %t does — it produces a timestamp like this: - - [08/Oct/2021:18:42:38 +0000] "HEAD / HTTP/1.1" 200 ...

Apart from slightly offending my sensibilities with that odd date format, the bigger problem is the colon after the year. If I was grepping the log for events that happened at 21:18 (18 minutes past 9pm) the above line would match even though it is actually timed at 18:42! The problem goes away in a few years I guess, but there had to be a better way. What I discovered was that %t has the ability to be very specific with time format.

So I defined a new LogFormat:

LogFormat "%{%Y-%m-%d %H:%M:%S %z}t %h %l %u \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" sane

Now my log entries come out like this:

2021-10-08 21:12:38 +0000 - - "HEAD / HTTP/1.1" 200 ...

Notice I also put the timestamp at the front of the line which seems more logical to me. Now I can very easily grep for any time units, e.g. ' 21:' for the hour, ' 21:12:' for the minute. And I can even grep for multiple days (notwithstanding a daily log rotate) in the same way.

Did you spot the name I gave to my new log format? 🙂

Leave a comment

Your email address will not be published. Required fields are marked *