Today I finally got around to something I’ve been meaning to do for sooo long. One of those things where the time you notice it is really not the time to be changing it.
In my Apache configs I have plenty of CustomLog
directives to set the log file name for each web domain I have. At the end of every one of them was the word combined
which I knew to be a specification of the format of log records. What I learned today is that combined
is a default that’s defined in the main httpd.conf
file like this:
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
The problem I have with this is what %t
does — it produces a timestamp like this:
208.115.199.20 - - [08/Oct/2021:18:42:38 +0000] "HEAD / HTTP/1.1" 200 ...
Apart from slightly offending my sensibilities with that odd date format, the bigger problem is the colon after the year. If I was grepping the log for events that happened at 21:18 (18 minutes past 9pm) the above line would match even though it is actually timed at 18:42! The problem goes away in a few years I guess, but there had to be a better way. What I discovered was that %t
has the ability to be very specific with time format.
So I defined a new LogFormat:
LogFormat "%{%Y-%m-%d %H:%M:%S %z}t %h %l %u \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" sane
Now my log entries come out like this:
2021-10-08 21:12:38 +0000 208.115.199.20 - - "HEAD / HTTP/1.1" 200 ...
Notice I also put the timestamp at the front of the line which seems more logical to me. Now I can very easily grep for any time units, e.g. ' 21:'
for the hour, ' 21:12:'
for the minute. And I can even grep for multiple days (notwithstanding a daily log rotate) in the same way.
Did you spot the name I gave to my new log format? 🙂