Parsing Apache logs
Feb 10, 2022 4 min read
Apache logs contain voluminous and critical data about web server activities. You can convert the unstructured Apache logs into a structured format through parsing, indexing and normalizing techniques. Parsing converts Apache logs into a structured format which makes interpretation and analysis of the log easier.
Apache logs can be parsed using various commands that can be executed in your Command Line Interface (CLI) such as grep, awk, and more. This section discusses the different commands that can be used to parse and analyze Apache logs.
You can parse Apache logs using the grep command. This command can extract fields from log data by using the "exact match" criteria for regex and basic string queries.
Example: To extract and view the web activity logs of a particular IP address, say 192.168.10.10, in your access log file, you can run the following command in your
Terminal:
$ grep "192.168.10.10" /var/log/apache2/access.log This command will return all the logs from the Apache access log file that have the same IP address as mentioned in the query.
The cat command can be used to concatenate all the log data in a file and display it a line by line format in the terminal or write them in a destination file. This command is used along with cut command to help you extract a particular field from a log by specifying the position of the field and the delimiters on each side of the field.
For instance, if a 'HTTP status codes' field is at the 8th position in your Apache access log, you can use the below command to extract all the HTTP status codes from the Apache access logs:
$ cat /var/log/apache2/access.log | cut -d " " -f 8 Note:
Awk is a terminal command that helps in searching Apache web server logs effectively. This command can search through the logs for a specific field using a perfect match query. The awk command can include logical operators, conditional statements, begin/end blocks and looping statements to enhance the log search.
Consider these Apache access logs,
127.0.0.1 Jane [22/Feb/2020:11:22:30 -0700] "GET /natural-image.jpg HTTP/2" 404 479 192.168.10.10 Maria [24/Feb/2020:01:12:20 -0700] "GET /amazon-forests-image.png HTTP/2" 200 1456 From these logs, if you want to extract the access logs that have a "404" HTTP status code, you can run the following awk command in your terminal,
$ awk $5 ~ /404/ {Print}' /var/log/apache2/access.log Note: Here $5 denotes the fifth field to be checked.
$ tail -100 /var/log/apache2/access.log $ tail -100 /var/log/apache2/access.log | sort -n Note: -n is used to sort the data numerically, you can use any sorting notation depending on your requirement.
$ tail -100 /var/log/apache2/access.log | uniq -d Parsing the Apache logs using the above commands can be very tedious and time-consuming. Using the above techniques, getting a holistic picture of an operational or security issue would be impossible. A better option to analyze Apache logs would be to use a log management solution. A log management solution can ease your work by automating the process of collecting, parsing, indexing, normalizing and analyzing the Apache logs.
EventLog Analyzer is a comprehensive log management solution that can analyze Apache access and error logs from all versions of your Apache servers, including Apache tomcat. It generates intuitive reports like Apache Server Trend, Top Users, Top URLs, Top Browsers, Top Visitors, Top Errors, Top Referrers and Apache Reports Overview based on users' web activities. Furthermore, this solution also alerts you in real-time via email and SMS in case of a threat. Click here to know more on EventLog Analyzer's Apache log management capabilities.
Interested in a
log management
solution?
Manage logs, comply with IT regulations, and mitigate security threats.
Our support technicians will get back to you at the earliest.
Zoho Corporation Pvt. Ltd. All rights reserved.