How to analyze the Apache log file with GoAccess

Add terminal- and web-based Apache access.log view with GoAccess.

How to analyze the Apache log file with GoAccess Add terminal- and web-based Apache access.log view with GoAccess.

In the name of security, the more information we have about our systems the better off we are. Sometimes that information might not be directly related to security, and sometimes it may. Case in point: The Apache web server. There is a file named access.log that displays crucial information about what goes on with the web server.

The Apache access.log file stores information about events that occur on the Apache web server. Such information can include visitor IP address, pages viewed, status codes, browsers used, and more.

But combing through text-based log files can be cumbersome, especially when your admin tasks keep piling up. To that end, what do you do? You could always turn to a tool like GoAccess.

GoAccess is both a terminal- and web-based real-time dashboard used for reading the Apache access.log file. I'm going to walk you through the process of installing GoAccess on Ubuntu Server 19.10, running Apache 2.

SEE: Windows 10 security: A guide for business leaders (TechRepublic Premium)

What you'll need

The only things you'll need to make GoAccess run on your system are the following:

  • A running instance of Ubuntu Server with Apache 2 installed

  • A user account with sudo access

How to install dependencies

The first thing to be done is the installation of the necessary dependencies. To do this, open a terminal window and issue the following command:

sudo apt-get install libncursesw5-dev gcc make libgeoip-dev libtokyocabinet-dev build-essential -y

After that completes, you're ready to install GoAccess.

How to install GoAccess

To install GoAccess, download the necessary tar file with the command:

wget http://tar.goaccess.io/goaccess-1.3.tar.gz

Extract the file with the command:

tar xvzf goaccess-1.3.tar.gz

Change into the newly created directory with the command:

cd goaccess-1.3

Install with the following commands:

sudo ./configure --enable-utf8 --enable-geoip=legacy
sudo make
sudo make install

How to run GoAccess

Now we're going to run GoAccess in the terminal. To do that, issue the command:

sudo goaccess /var/log/apache2/access.log --log-format=COMBINED

You should now see GoAccess displaying real-time data from your access.log file in the terminal (Figure A).

Figure A

goaccessa.jpg

The Goaccess real-time display.

You can scroll through the bottom half of the screen to view the various sections of the log file. For example, scroll down to see the listing of Visitor Hostnames and IPs (Figure B).

Figure B

goaccessb.jpg

Hostnames and IPs listed.

To exit out of GoAccess, hit Q on your keyboard.

How to view the web dashboard

Now we're going to run GoAccess such that it will display the web-based dashboard. Outside of the web-based dashboard being far prettier and easier to read, the main difference between the two is that the terminal dashboard is real-time, whereas the web dashboard is read from the report generated by the command. For this, issue the command:

sudo goaccess /var/log/apache2/access.log --log-format=COMBINED -a -o /var/www/html/report.html

You should get your terminal prompt back. Open a web browser and point it to http://SERVER_IP/report.html (where SERVER_IP is the IP address of the server hosting GoAccess and Apache). You should see the information in a user-friendly format (Figure C).

Figure C

goaccessc.jpg

The static web-based dashboard.

How to receive pseudo real-time updates

In order to get updated stats on your server, you'd have to run the goaccess command a second time. The only way you could get regular updates would be to create a bash script and have it run as a cronjob every minute or so. For this, create a bash script with the contents:

!#/bin/bash
sudo goaccess /var/log/apache2/access.log --log-format=COMBINED -a -o /var/www/html/report.html

Save that file in your user's home directory. Next create a crontab entry with the command:

sudo crontab -e

The cron entry (to run the command every minute) could look like:

* * * * * /home/USERNAME/goaccess.sh

Where USERNAME is the name of a user on your system.

With that crontab entry in place, every minute that report.html file will be updated with the new data. 

You now have the means to easily view the contents of your Apache access.log. Keep tabs on every aspect of your web server so you can enjoy a bit more security.

Also see

apachehero.jpg

Image: Apache