Each line of an access log contains fields that are separated by blank spaces and delimited by quotation marks.
To understand what each field means, review the example below:
216.145.57.229 - - [05/Mar/2002:12:07:04 -0800\ "GET /examples/ HTTP/1.1" 200 1274 "http://webmaster-showcase.net/" "Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)" "webmaster-showcase.net"
| Example Field | Explanation |
| 216.145.50.200 | IP address of the requesting system. |
| s1.who.net | The name of the IP address identified by the first field (above). If this name is not be available, you will see instead a dash (-). |
| mary | If your directory is password-protected, this field will display the name from the user name/password combination used to protect the directory. You want to be sure this information is concealed from the public, because a hacker, for example, can use this information to help break into the access-controlled area. We recommend that you password-protect your logs directory. (If no user name/password was provided with the request, this field value will contain a dash.) |
| [05/Mar/2002:10:45:01 -0800\ | The time stamp of when the request was made. The time is expressed in UTC (universal time coordinates) with an offset. The offset "-800" indicates that the server is 8 hours west of 0 longitude (Greenwich, England, or GMT). |
| "GET / HTTP/1.0" | The request to the server. |
| 200 | This is the response code from the server. "200" indicates a normal response. "304" is another common response that indicates the requested resource (such as an HTML page) has not changed, so the browser can use its locally cached copy. |
| 4272 | The number of bytes sent — in other words, the data transfer used — in response to the request. This field counts only the data bytes, not the overhead bytes of the HTTP protocol. For example, "304" responses will show that no bytes were sent (here you will see just a dash), but the server did, in fact, transfer some data: the few bytes used to generate the "304" response code. |
| "http://webmaster-showcase.net/index.php" | This is the referring URL, or web address. For example, if a requested HTML file contains <img> tags, when the browser requests the image, it tells the server that the request was made because the image was included on the requesting page; it sends the URL of the requesting page as the referrer. (Note: When a user types a URL into his browser, his request does not send a referrer value.) |
| "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT)" | The type of browser making the request. |
| "webmaster-showcase.net" | The domain used to access the resource. Since you can set up multiple subdomains that may access the same resources, you can use this item to identify how the resource was requested (in other words, which subdomain served the requested HTML file, image, or the like). |