Adding usernames to your Apache access log with PHP using apache_note()

Posted: October 21st, 2010 | Author: Doug | Filed under: PHP Snippet | No Comments »

Here is a quick little tip that allows you to embed usernames from your webapp into your Apache access log using the little known apache_note() function. This will allow you to easily see who is requesting php files on your server using your webapp’s user database. Since it requires PHP to run during the request it won’t work for non-php resources like images or javascript files.

Apache Config Changes

The common log format already provides a place for usernames, but it’s meant for usernames in the authentication header sent after you login via your browser’s basic authentication mechanism (usually a username/password dialog popup). We will use that same spot in the log for the usernames from our webapp so that any existing log parser you have operating on your logs won’t need any changes.

First you need to either edit or create a new named log format in Apache. I’d be safe and just create a new one instead of editing the existing “common” log format. To do that open your http.conf file and search for a line that looks like this:

LogFormat "%h %l %u %t \"%r\" %>s %b" common

and then copy this next line and place it after the common format:

LogFormat "%h %l %{username}n %t \"%r\" %>s %b" withusername

Once that is done search for your most local CustomLog directive. The default Apache config places this within the check for the log_config_module in the server config but it is also available as an option in the virtual host so its best to double check to make sure it is not being overridden in the virtual host.

Once you have found the most local CustomLog directive either comment it out and replace it with the following or use the following and pick a seperate log path. If you keep both CustomLogs in the config you’ll double the space used for logging but in today’s cheap disk space world that shouldn’t be a problem.

Here is the line to replace or add:

CustomLog "/path/to/your/logfile.log" withusername

Code to add to your PHP webapp

With the Apache config changes in place and saved add the following code after you have authenticated the user in the request (assuming $user contains your user object):

apache_note("username", $user->username);

That’s it! The apache_note() function allows you to access the internal table that Apache uses for modules to communicate with each other. We are adding our own note named “username” and then the log module is looking it up using the %{username}n format directive.

Using it

Restart Apache and then load a page in your webapp. If you are logged in you should see your username now in the logs, but if not, and the username note doesn’t exist, the log module will output “-” in its place, as it does when the username from the basic authentication header is missing.

Here is an example of a request without a username:

127.0.0.1 - - [21/Oct/2010:07:02:42 -0400] "GET /" 200 1337

and here is what a request would look like if you are logged in as randomuser:

127.0.0.1 - randomuser [21/Oct/2010:07:02:44 -0400] "GET /" 200 1337

---