Vendors Apache Software Foundation Apache HTTP Server Apache Common Log Format

Apache Common Log Format

Standard HTTP access logs with basic request information

Apache HTTP Server Common Log Format (CLF) access logs recording basic HTTP request information including client IP, authenticated user, timestamp, request details, and response status

access-log http web-server common-format clf traffic

PLAIN TEXT Format 9 Fields High Frequency Generator

Preview Sample View Schema

Overview

Records all HTTP requests to the Apache web server in the standardized Common Log Format (CLF), including client IP, authenticated user (if any), timestamp, HTTP request method and URI, status code, and response size. This is the most widely-used and standardized Apache log format.

When Generated:

Every HTTP/HTTPS request received by the Apache web server
GET, POST, PUT, DELETE, HEAD, OPTIONS, and other HTTP methods
Both successful requests and errors (2xx, 3xx, 4xx, 5xx status codes)
Requests to static content, dynamic pages, and APIs
Legacy systems and simple web servers often use CLF instead of Combined format

Security Relevance:

High

Compliance:

PCI DSS (Requirement 10.2 - Audit logging) HIPAA (Access logging requirements) SOX (Access audit trails) GDPR (Access logging for personal data) ISO 27001 (A.12.4.1 - Event logging) NIST SP 800-53 (AU-2, AU-3 - Audit events)

Frequency Notes:

High-frequency events during business hours (900 events/hour or ~4 per second) with reduced activity during nights (120 events/hour) and weekends (150 events/hour). Common Log Format is typically used for simpler web servers, static content servers, or legacy applications.

Resources

Documentation

Apache HTTP Server Documentation - Log Files official
Apache Module mod_log_config official
Common Log Format Specification official
W3C Common Logfile Format reference
HTTP Status Codes Reference reference

Tools

GoAccess
Real-time web log analyzer and interactive viewer for Apache logs
AWStats
Advanced web statistics analyzer for Apache access logs
Webalizer
Fast web server log file analysis program
Analog
Fast log file analyzer with extensive reporting options

Generation Configuration

Base Frequency: 300 events/hour

Time Patterns:

business_hours night_hours weekend

Business Hours Multiplier: 3.0x

Night Hours Multiplier: 0.4x

Weekend Multiplier: 0.5x

Field Definitions

Complete field reference for this event type with data types, descriptions, and example values.

Field Name	Type	Required	Format	Description	Example	Possible Values
client_ip Source: random_private_ip()	String	Required	`IPv4 or IPv6`	IP address of the client making the request	`192.168.1.100`	—
ident Source: random_choice(['-', registry.get_random_user().username])	String	Required	`Identity string or '-'`	RFC 1413 identity of the client (typically '-' as ident lookups are rarely used)	`-`	—
authenticated_user Source: random_choice(['-', registry.get_random_user().username])	String	Required	`Username or '-'`	Username of authenticated user, or '-' if not authenticated via HTTP Basic Authentication	`jsmith`	—
timestamp Source: now() \| format_datetime('%d/%b/%Y:%H:%M:%S %z')	DateTime	Required	`DD/Mon/YYYY:HH:MM:SS Timezone`	Date and time of the request in Apache's standard format	`20/Dec/2025:15:31:10 -0600`	—
request_method Source: random_choice(['GET', 'POST', 'PUT', 'DELETE', 'HEAD', 'OPTIONS'])	String	Required	`HTTP method verb`	HTTP request method	`GET`	`GET` — Retrieve resource `POST` — Submit data to server `PUT` — Update existing resource `DELETE` — Remove resource `HEAD` — Retrieve headers only `OPTIONS` — Check allowed methods
request_uri Source: random_choice of common web paths	String	Required	`URI path`	URI path and query string of the request	`/index.html`	—
http_version Source: random_choice(['1.1', '2.0'])	String	Required	`HTTP/x.x`	HTTP protocol version used for the request	`HTTP/1.1`	`HTTP/1.1` — HTTP version 1.1 (most common) `HTTP/2.0` — HTTP version 2.0
status_code Source: random_weighted selection favoring successful responses	Integer	Required	`3-digit HTTP status code`	HTTP response status code returned by the server	`200`	`200` — OK - Successful request `201` — Created - Resource created successfully `204` — No Content - Successful with no response body `301` — Moved Permanently - Resource moved `302` — Found - Temporary redirect `304` — Not Modified - Cached resource still valid `400` — Bad Request - Invalid request syntax `401` — Unauthorized - Authentication required `403` — Forbidden - Access denied `404` — Not Found - Resource not found `500` — Internal Server Error - Server error `502` — Bad Gateway - Upstream server error `503` — Service Unavailable - Server temporarily unavailable
response_size Source: random_int(0, 500000)	Integer	Required	`Bytes`	Size of response in bytes, not including HTTP headers (0 or '-' if no content sent)	`2326`	—

Details

Fields

High

Frequency

Feedback

No ratings yet