Common Log Format

The Common Log Format (CLF) was originally used by the NCSA server, it has become the defacto standard for log files and is the format expected by a number of log analysis tools. The CLF logs contains most of the information you'll need to perform comprehensive analysis of your site.

The CLF records each request as a single line, containing several tokens which are separated by spaces. The information and format of the CLF files is as follows :

     host ident authuser date request status bytes
host The fully qualified domain name or IP address of the connecting machine. The server will record the name if reverse DNS lookup is turned on, or alternatively just record the IP address. Reverse DNS lookups can place an extra load on the server and consume extra bandwidth, for this reason you can disable reverse DNS lookups.

e.g. www.name.co.uk or 194.234.126.31

ident Never set. Always appears as a hyphen (-). The original CLF logs would store any information returned by identd for the connection. Identd is a UNIX only service and is rarely used. The ident lookup also causes excessive network bandwidth utilisation and extras server overhead, for these reasons it is not recorded.
authuser The userid used in the request if the requested document was password protected. For more details on authenticated pages and access control see the appropriate section.

e.g. lee or zeus or fred

date The date and time of the request. in the format:
[day/month/year:hh:mm:ss zone]
day = Two digit day of the month : "00" - "31"
month = Three letter month abbreviation : "Jan" … "Dec"
year = Four digit full format year (1997) : "0000" - "9999"
hour = Two digit hour : "00" - "23"
minute = Two digit minute : "00" - "59"
second = Two digit seconds : "00" - "59"
zone = Four digit signed timezone adjustment : "(+/-)0000" - "(+/-)9999"

Eg. [08/May/1997:16:27:54 +0100]

request The first line of the request received from the client. This contains information about what file the client wants and exactly how to it should be sent. It is of the format :

"method url protocol/version"

method = HTTP method, such as GET or POST
url = The URL requested by the client
protocol = Always HTTP
version = The version number of the protocol.

Eg. "GET /index.html HTTP/1.0"

status The three digit status code returned by the server in response to this request, for a full list of status codes see the appendix.

Eg. 200 or 303 or 406

bytes The number of bytes sent by the server, not including the HTTP header.

Typical examples of CLF entries :

machine.zeus.co.uk - - [08/Apr/1997:13:14:32 -0100] "GET /logo.gif HTTP/1.0" 200 2431 machine.zeus.co.uk - lee [08/Apr/1997:13:14:32 -0100] "GET /pw.txt HTTP/1.0" 200 2431 machine.zeus.co.uk - - [08/Apr/1997:16:02:20 +0100] "POST /form.cgi HTTP/1.0" 404 556 10.0.0.14 - - [19/Feb/1997:18:08:41 +0000] "GET /~lee/ HTTP/1.0" 200 408 10.0.0.14 - - [19/Feb/1997:18:14:56 +0000] "GET /~fred HTTP/1.0" 404 556

Defining CLF in the logging module

The definition of CLF in the logging module is as follows:
%h %l %u %t "%r" %s %b