Apache2 maintains two (2) different logs ,access and error.

There are 4 basic log directives:

• BufferedLogs - buffers logging information for performance. It's parameter is either or . This directive is only set once for the server. It effects the way all logs write. Setting BufferedLogs can increase performance by storing log entries in memory and writing them at one time. on off on

BufferedLogs On | Off

• CustomLog - allows the logging format to be changed. I think this directive is used most often. Use the LogFormat directive to set a format token to be used with this directive for convenience. CustomLog takes two parameters: the pathname to the log and either the log format token or the log format. These two directives are the same.

LogFormat "%h "%>s "%r" MyLittleLogFormat
CustomLog ${APACHE_LOG_DIR}/MyLittle.log MylLittleLogFormat
CustomLog ${APACHE_LOG_DIR}/MyLittle.log "%h "%>s "%r"

• GlobalLog - (NEW in apache 2.4) defines a log shared by server and virual hosts. This directive must be in the main server config file. It can not be used in any VirtualHost. The directive has 3 parameters.
• File or Pipe - that the log entries are to go to
• Log format or token - used to write the data
• An environment variable or expression

The LogFormat directive allows you to define a pattern of information that is written to a log and keep that definition in a neat little token referred to as a "nick name" in the auth_log_config documentation. This way a particular format can be specified in a log directive with the token as opposed to the format each time, great for people like me with fat fingers. Many log formats can be defined.

LogFormat takes two arguments.

• Pattern - the individual elements to be written to the log
• Token - the "nick name" to reference the pattern with.

For example: the default format (combined) as specified in the main server config file.

LogFormat "%h %l %u %t "%r" %>s %O "%{Referer}i" \"%{User-Agent}i\"" combined

The (") is to escape the quotes. To use this format in a CustomLog directive use the token combined :

CustomLog ${APACHE_LOG_DIR}/access.log combined

Here is a break down the syntax for the combined log format.

Item	Description
LogFormat	The Directive to set the log format
"	The start of the log string so it is processed all as one string
%h	Remote host or IP address
%l	remote log name (never comes up)
%u	remote user (never comes up, need authentication)
%t	Time request was received
\"%r\"	First line of request in quotes
%>s	final status
%O	bytes sent. I like to put this in parenthises (%O).
\"%{Referer}i\"	The contents of the header "referer" in quotes (i.e. the site with the link pointing at you)
\"%{User-Agent}i\"	The contents of the header var "User-Agent" in quotes
"	The end of the log string
combined	The "nick name" of the log string. Used to reference this log string

There are many other definitions which can be viewed in the mod_log_config docs.

There may be many log directives that use the same LogFormat token. I create a few logs for each VirtualHost on my servers. For convenience I define the formats in a LogFormat directives. Each log contains different formats to be picked up by scripts that analyse the data.

For example: Create a log that has the ip address, the date and the status code one could use a log format like:

LogFormat "%h %t %>s" RemoteHostAndStatus

The when the log is defined, the format would output

1.2.3.4   [27/Apr/2017:21:25:46 -0600]   404
4.3.2.1   [27/Apr/2017:21:25:44 -0600]   200
5.6.7.8   [27/Apr/2017:21:25:44 -0600]   500

This log can be used to cross reference the unhealthy status codes like 404 and 500 back to the main access log. With this you can generate a list of resources to check on, etc.

Most of the time it is some hacker trying to POST things they shouldn't be. Even then, that information could be used as well... maybe a "Do Not Disturb" list?