Modifying ServerAdmin’s Default Apache Log Format
9 May 2002
In this article, I discuss how to modify Apache’s log formatting to produce results that include valuable information in the logs. Having to change each new entry in /etc/httpd/httpd_macosxserver.conf is inconvenient—it would be much better to change Server Admin’s default behavior. Alternatively, you could modify httpd.conf to not even call httpd_macosxserver.conf and manage virtual domains using a tool like Webmin—or even by hand. Apple included Server Admin for a reason, though, so we’ll go that route.
Server Admin uses a variety of plug-ins to provide its services. They are located in /System/Library/ServerAdmin/ and are “package” files similar to other Cocoa applications. We want to modify the Apache plugin, at /System/Library/ServerAdmin/Apache.rasplug/Contents/Mac OS/Apache. Before making any changes, make a copy of the whole Apache.rasplug package and put it somewhere safe.
You will need a binary editor in order to make the change. Ideas from the Deep’s HexEdit 1.8 is the best tool to use for this; it is freeware, so go grab a copy.
Once you’ve got HexEdit installed, log in as root and open /System/Library/ServerAdmin/Apache.rasplug/Contents/Mac OS/Apache. You’ll see something like this:
The first column is a byte index into the file; the columns in cyan are the hexadecimal representations of the characters in the file, and the text on the right is the textual representation (more or less; special characters are replaced with “.").
We want to replace Apple’s default log format ("%h %l %u %t \"%r\" %>s %b") with the word “combined,” which is the effective log format string. Search (use Command-F) for the phrase “custom,” which will appear at byte-index 00026D30. You’ll see the Apple log format string (look at the right-most columns), which is what we want to replace. Put HexEdit into Overwrite mode with Options > Use Overwrite Mode, place the insertion point at the opening quote mark, and carefully type in “combined". If you make a mistake, do not hit delete! Use your cursor keys and overtype the mistake. Do not change the length of the file.
Since “combined” is not as long as ' “%h %l %u %t \"%r\" %>s %b” ', you can use the spacebar to wipe out the extra text. That will append spaces to the end of the line, but Apache doesn’t care about that. You can also use nulls —type “00” over the original log format text, but in the middle column of hex data. Save the file (you did make a backup, right?). Make sure the saved file is the same length as the original (215416 bytes) and delete the “Apache~” file in the same directory. Make the saved Apache file executable (chmod 755) and make sure it is owned by user root, group wheel.
To make the changes stick, you will need to stop the running Server Admin daemon. You can do this by executing ps aux | grep serveradmin to find the process ID, and kill -9 processID to stop the daemon. Watchdog will respawn it, but with the new Apache settings.
Launch Server Admin, go to the Internet tab, click the globe icon, and select Configure Web Service. You can add new sites or change old ones, and the log format will always be “combined". If you make changes to a site that’s already got log files using the old format, you may be able to extract some data from them for a logfile analysis program. It’s best to just erase them and start fresh.
Thanks to Mark Edwards and Nina Corda on the Mac OS X Server list for the fundamental steps for this article!