8

Reading this post "Understanding Apache Access Log" it refers to http://httpd.apache.org/docs/1.3/logs.html which says

%t is the time the server finished processing the request.

By this I understand that a line in access.log will not be written until the request has been served by the server. So if the request takes one minute, the timestamp will be one minute after the server received the request.

But, the above doc is for Apache 1.3. Reading this one http://httpd.apache.org/docs/2.2/mod/mod_log_config.html it says

%t Time the request was received (standard english format)

Now understanding that based on the above example, the timestamp is referring to when the request was first received by the server. But if so, then Apache would need to update access.log yet another time when the request has been served. Or maybe wait to update access.log until the request has been finished, but I doubt that since I would expect the events not to be sorted by time - but they are (making the first explanation more reasonable according to my understanding.

So which one is correct, finished processing or received - or both depending on version? (Or, what have I not fully understood...)

Improve this question
1
  • 2
    These are two very different versions of Apache. Much has changed during the time between versions. Read the documentation for the version you are running and do not over-think things between versions that were years apart. If you are running 2.2, do not add into your lexicon anything written in the version 1.3 documentation. Commented Jul 1, 2014 at 20:31

2 Answers 2

Reset to default
9

Apache writes to the log file after the request has been completed. It is able to remember the time that the request was started and write this time into the log file after the request was finished.

This means that Apache log files are not going to be strictly ordered. There may be earlier records that get recorded late because the requests takes a long time.

Apache never goes back and revises log entries.

Improve this answer
2

I'd say it's a very good question, it's important to understand what a timestamp means in log files if this will be used for (accurate) analysis of time-series data from ingesting those logs. While it feels like your question is a little lost in time now the same question needs to be answered by anyone migrating from one product to another product.

You did spot an important change that Apache made with the default access log. Apache 1.3 timestamped the log entry as it wrote it, this is a very common approach for log files that weren't/aren't intended for metrics/statistics/observability/etc. The semantics were revised with 2.2 as you note in your question and the current version 2.4 maintains this as

The time that the request was received

They chose to keep the field value as %t. Diligent log processing for performance analysis had to understand the log source and accommodate this difference.

Improve this answer

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.