How to analyze the Apache log file with Goaccess
Add terminal and web-based Apache access.log view with Goaccess.
How to analyze the Apache log file with Goaccess
Add terminal and web-based Apache access.log view with Goaccess.
In the name of security, the more information we have about our systems, the better we are. Sometimes that information may not be directly related to security, and sometimes it is. An example: the Apache web server. There is a file named access.log that displays crucial information about what is happening with the web server.
The Apache access.log file stores information about events that occur on the Apache web server. Such information may include the visitor’s IP address, pages viewed, status codes, browsers used, and more.
But searching text-based log files can be cumbersome, especially if your management tasks keep piling up. What do you do for that? You can always turn to a tool like Goaccess.
Goaccess is a terminal and web-based real-time dashboard that is used to read the Apache access.log file. I will guide you through the process of installing Goaccess on Ubuntu Server 19.10, with Apache 2.
SEE: Windows 10 security: a guide for business leaders (TechRepublic Premium)
What you need
The only things you need to make Goaccess work on your system are the following:
How to install dependencies
The first thing to do is install the necessary dependencies. To do this, open a terminal window and give the following command:
sudo apt-get install libncursesw5-dev gcc make libgeoip-dev libtokyocabinet-dev build-essential -y
After that is complete, you are ready to install Goaccess.
How to install Goaccess
Download the required tar file with the command to install Goaccess:
wget http://tar.goaccess.io/goaccess-1.3.tar.gz
Extract the file with the command:
tar xvzf goaccess-1.3.tar.gz
Go to the newly created folder with the command:
cd goaccess-1.3
Install with the following commands:
sudo ./configure –enable-utf8 –enable-geoip = legacy
make sudo
install sudo make
How to implement Goaccess
Now we are going to run Goaccess in the terminal. To do this, execute the command:
sudo goaccess /var/log/apache2/access.log –log-format = COMBINED
You should now see that Goaccess displays real-time data from your access.log file in the terminal (Figure A).
Figure A
The real-time display of Goaccess.
You can scroll through the bottom half of the screen to view the different parts of the log file. For example, scroll down to view the list of visitor host names and IP addresses (Figure B).
Figure B
Host names and IPs listed.
Press Q on your keyboard to exit Goaccess.
How to view the web dashboard
Now we are going to run Goaccess so that the web-based dashboard is displayed. Apart from the fact that the web-based dashboard is much nicer and easier to read, the main difference between the two is that the terminal dashboard is real-time, while the web dashboard is read from the report generated by the command. Give the order for this:
sudo goaccess /var/log/apache2/access.log –log-format = COMBINED -a -o /var/www/html/report.html
You should get your terminal prompt back. Open a web browser and point it to http: //SERVER_IP/report.html (where SERVER_IP is the IP address of the server hosting Goaccess and Apache). You should see the information in a user-friendly format (Figure C).
Figure C
The static web-based dashboard.
How to receive pseudo real-time updates
To get updated statistics on your server, you must run the goaccess command a second time. The only way you can get regular updates is by creating a bash script and having it run as a cron job every minute. To do this, create a bash script with the content:
#! / Bin / bash
sudo goaccess /var/log/apache2/access.log –log-format = COMBINED -a -o /var/www/html/report.html
Save that file in your user’s home directory. Then create a crontab item with the command:
sudo crontab -e
The cron item (to execute the command every minute) can look like this:
* * * * * /home/USERNAME/goaccess.sh
Where USERNAME is the name of a user on your system.
With that crontab item, that report.html file is updated with the new data every minute.
You now have the means to easily view the contents of your Apache access.log. Keep an eye on every aspect of your web server so that you can enjoy a little more security.
Cyber Security Insider Newsletter
Strengthen the IT security of your organization by staying up to date with the latest news, solutions and best practices for cyber security.
Delivered on Tuesday and Thursday
Register today
Also see
Image: Apache