Apache or with real name httpd provides logs. These logs are very helpful while detecting errors, attacks. There is two type of Apache logs by default. Log resides in following directories.

Log Path

Apache logs are stored in different paths because of name difference for different distributions. DEB or apt family uses the name apache2 and stores logs as apache2 but the RPM yum family uses the name httpd and stores logs in the httpd directory.

/var/log/httpd/

CentOS

Redhat

Fedora

/var/log/apache2/

Ubuntu

Debian

Kali

Getting Log Files Directory

Log file directory can be changed with Apache configuration. Look in to configuration file to exact log path

Ubuntu,Debian,Kali

$ grep -r ErrorLog /etc/apache2

CentOS,Fedora, Red Hat

$ grep -r ErrorLog /etc/httpd

Error Logs

Error logs are generally related with service and http request errors. For different distributions different paths exists but generally similar paths are used.

We can read error logs like below. We use less to read.

$ less /var/log/httpd/error_log [Wed Nov 02 10:39:21.845702 2016] [suexec:notice] [pid 11753] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec) AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 192.168.122.179. Set the 'ServerName' di rective globally to suppress this message [Wed Nov 02 10:39:21.863409 2016] [auth_digest:notice] [pid 11753] AH01757: generating secret for digest authentication ... [Wed Nov 02 10:39:21.863914 2016] [lbmethod_heartbeat:notice] [pid 11753] AH02282: No slotmem from mod_heartmonitor [Wed Nov 02 10:39:21.965402 2016] [mpm_prefork:notice] [pid 11753] AH00163: Apache/2.4.6 (CentOS) PHP/5.4.16 configured -- resuming n ormal operations [Wed Nov 02 10:39:21.965427 2016] [core:notice] [pid 11753] AH00094: Command line: '/usr/sbin/httpd -D FOREGROUND'

We can also search error file with grep

$ grep suexec /var/log/httpd/error_log [Wed Nov 02 10:39:21.845702 2016] [suexec:notice] [pid 11753] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec) [Wed Nov 02 12:02:22.495005 2016] [suexec:notice] [pid 11947] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec) [Wed Nov 02 12:04:32.052658 2016] [suexec:notice] [pid 11965] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)

Access Logs

Access logs generally provides http request related information and for busy site it will be generated a lot. Access log will provide following information about request or access attempts to our apache web server.

Client IP Address

Date and Time

Request URI

HTTP Status Code

Client Browser

$ less /var/log/httpd/access_log 192.168.122.1 - - [02/Nov/2016:10:39:51 +0000] "GET /owncloud HTTP/1.1" 301 229 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537. 36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36" 192.168.122.1 - - [02/Nov/2016:10:39:51 +0000] "GET /owncloud/ HTTP/1.1" 200 10986 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/5 37.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36" 192.168.122.1 - - [02/Nov/2016:10:39:51 +0000] "GET /owncloud/core/css/styles.css?v=ba222ded25d957b900c03bef914333cd HTTP/1.1" 200 21 989 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36" 192.168.122.1 - - [02/Nov/2016:10:39:51 +0000] "GET /owncloud/core/css/inputs.css?v=ba222ded25d957b900c03bef914333cd HTTP/1.1" 200 89 73 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36" 192.168.122.1 - - [02/Nov/2016:10:39:51 +0000] "GET /owncloud/core/css/header.css?v=ba222ded25d957b900c03bef914333cd HTTP/1.1" 200 73 38 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36" 192.168.122.1 - - [02/Nov/2016:10:39:51 +0000] "GET /owncloud/core/css/icons.css?v=ba222ded25d957b900c03bef914333cd HTTP/1.1" 200 801 8 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36" 192.168.122.1 - - [02/Nov/2016:10:39:51 +0000] "GET /owncloud/core/css/fonts.css?v=ba222ded25d957b900c03bef914333cd HTTP/1.1" 200 728 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36"

Search For Specific HTTP Status Errors

We can search like error log with grep.In this example we will search for HTTP Status 404 errors in the access_log file.

$ grep 404 /var/log/httpd/access_log 192.168.122.1 - - [02/Nov/2016:10:40:44 +0000] "GET /owncloud/index.php/core/preview.png?file=%2FownCloud+Manual.pdf&c=d299b7320e9d9f da4420ba86181ea2a5&x=32&y=32&forceIcon=0 HTTP/1.1" 404 - "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36" 192.168.122.1 - - [02/Nov/2016:10:41:13 +0000] "GET /owncloud/index.php/core/preview.png?file=%2FownCloud+Manual.pdf&c=d299b7320e9d9f da4420ba86181ea2a5&x=32&y=32&forceIcon=0 HTTP/1.1" 404 - "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36"

Apache Log Files Infografic