Manual Page

NAME

goaccess - Fast web log analyzer and interactive viewer.

SYNOPSIS

					goaccess [filename] [ options ... ] [-c][-M][-H][-q][-d][...]
				

DESCRIPTION

goaccess is a free (MIT Licensed) and open source real-time web log analyzer and interactive viewer that runs in a terminal in *nix systems or through your browser.

It provides fast and valuable HTTP statistics for system administrators that require a visual server report on the fly. GoAccess parses the specified web log file and outputs the data to the X terminal. Features include:

• General Statistics: This panel gives a summary of several metrics, some of them are: number of valid and invalid requests, time taken to analyze the data set, unique visitors, requested files, static files (CSS, ICO, JPG, etc) HTTP referrers, 404s, size of the parsed log file and bandwidth con‐ sumption.
• Unique visitors: This panel shows metrics such as hits, unique visitors and cumulative bandwidth per date. HTTP requests containing the same IP, the same date, and the same user agent are considered a unique visitor. By default, it includes web crawlers/spiders.
  Optionally, date specificity can be set to the hour level using --date-spec=hr which will display dates such as 05/Jun/2016:16, or to the minute level producing 05/Jun/2016:16:59. This is great if you want to track your daily traffic at the hour or minute level.
• Requested files: This panel displays the most highly requested (non-static) files on your web server. It shows hits, unique visitors, and percentage, along with the cumulative bandwidth, protocol, and the request method used.
• Requested static files: Lists the most frequently static files such as: JPG, CSS, SWF, JS, GIF, and PNG file types, along with the same metrics as the last panel. Additional static files can be added to the configuration file.
• 404 or Not Found: Displays the same metrics as the previous request panels, however, its data contains all pages that were not found on the server, or commonly known as 404 status code.
• Hosts: This panel has detailed information on the hosts themselves. This is great for spotting aggressive crawlers and identifying who's eating your bandwidth.
  Expanding the panel can display more information such as host's reverse DNS lookup result, country of origin and city. If the -a argument is enabled, a list of user agents can be displayed by selecting the desired IP address, and then pressing ENTER.
• Operating Systems: This panel will report which operating system the host used when it hit the server. It attempts to provide the most specific version of each operating system.
• Browsers: This panel will report which browser the host used when it hit the server. It attempts to provide the most specific version of each browser.
• Visit Times: This panel will display an hourly report. This option displays 24 data points, one for each hour of the day.
  Optionally, hour specificity can be set to the tenth of a minute level using --hour-spec=min which will display hours as 16:4 This is great if you want to spot peaks of traffic on your server.
• Virtual Hosts: This panel will display all the different virtual hosts parsed from the access log. This panel is displayed if %v is used within the log-format string.
• Referrers URLs: If the host in question accessed the site via another resource, or was linked/diverted to you from another host, the URL they were referred from will be provided in this panel. See `--ignore-panel` in your configuration file to enable it. (disabled by default)
• Referring Sites: This panel will display only the host part but not the whole URL. The URL where the request came from.
• Keyphrases: It reports keyphrases used on Google search, Google cache, and Google translate that have led to your web server. At present, it only supports Google search queries via HTTP. See `--ignore-panel` in your configuration file to enable it. (disabled by default)
• Geo Location: Determines where an IP address is geographically located. Statistics are broken down by continent and country. It needs to be compiled with GeoLocation support.
• HTTP Status Codes: The values of the numeric status code to HTTP requests.
• ASN: This panel displays ASN (Autonomous System Numbers) data for GeoIP2 and legacy databases. Great for detecting malicious traffic and blocking accordingly.
• Remote User (HTTP authentication) This is the userid of the person requesting the document as determined by HTTP authentication. If the document is not password protected, this part will be "-" just like the previous one. This panel is not enabled unless %e is given within the log-format variable.
• Cache Status If you are using caching on your server, you may be at the point where you want to know if your request is being cached and served from the cache. This panel shows the cache status of the object the server served. This panel is not enabled unless %C is given within the log-format variable. The status can be either MISS, BYPASS, EXPIRED, STALE, UPDATING, REVALIDATED or HIT
• MIME Types This panel specifies Media Types (formerly known as MIME types) and Media Subtypes which will be assigned and listed underneath. This panel is not enabled unless %M is given within the log-format variable. See MIME types for more details.
• Encryption Settings This panel shows the SSL/TLS protocol used along the Cipher Suites. This panel is not enabled unless %K is given within the log-format variable.

NOTE: Optionally and if configured, all panels can display the average time taken to serve the request.

STORAGE

There are three storage options that can be used with GoAccess. Choosing one will depend on your environment and needs.

Default Hash Tables

In-memory storage provides better performance at the cost of limiting the dataset size to the amount of available physical memory. GoAccess uses in-memory hash tables. It has very good memory usage and pretty good performance. This storage has support for on-disk persistence.

CONFIGURATION

Multiple options can be used to configure GoAccess. For a complete up-to-date list of configure options, run ./configure --help

--enable-debug

Compile with debugging symbols and turn off compiler optimizations.

--enable-utf8

Compile with wide character support. Ncursesw is required.

--enable-geoip=<legacy|mmdb>

Compile with GeoLocation support. MaxMind's GeoIP is required. legacy will utilize the original GeoIP databases. mmdb will utilize the enhanced GeoIP2 databases.

--with-getline

Dynamically expands line buffer in order to parse full line requests instead of using a fixed size buffer of 4096.

--with-openssl

Compile GoAccess with OpenSSL support for its WebSocket server.

OPTIONS

The following options can be supplied via the command line or long options through the configuration file.

LOG/DATE/TIME FORMAT

• --time-format <timeformat>

  The time-format variable followed by a space, specifies the log format time containing any combination of regular characters and special format specifiers. They all begin with a percentage (%) sign. See `man strftime`. %T or %H:%M:%S.

  Note: If a timestamp is given in microseconds, %f must be used as time-format. If the timestamp is given in milliseconds %* must be used as time-format.

• --date-format <dateformat>

  The date-format variable followed by a space, specifies the log format date containing any combination of regular characters and special format specifiers.They all begin with a percentage (%) sign. See `man strftime`.

  Note: If your access log contains English dates/months such as 12/Jan/2021 but your machine locale is not set to English, then you will need to set your LC_TIME, e.g.,

  LC_TIME="en_US.UTF-8" bash -c 'goaccess access.log --log-format=COMBINED'
  

  Also, if a timestamp is given in microseconds, %f must be used as date-format. If the timestamp is given in milliseconds %* must be used as date-format.

• --datetime-format <date_timeformat>

  The date and time format combines the two variables into a single option. This gives the ability to get the timezone from a request and convert it to another timezone for output. See --tz=<timezone>

  They all begin with a percentage (%) sign. See `man strftime`. e.g., %d/%b/%Y:%H:%M:%S %z.

  Note: if --datetime-format is used, %x must be passed in the log-format variable to represent the date and time field.

  Important: if --datetime-format is used, ensure --date-format and --time-format are not used.

• --log-format <logformat>

  The log-format variable followed by a space or \t for tab-delimited, specifies the log format string.

  In addition to specifying the raw log/date/time formats, for simplicity, any of the following predefined log format names can be supplied to the log/date/time-format variables. GoAccess can also handle one predefined name in one variable and another predefined name in another variable.

  COMBINED     | Combined Log Format
  VCOMBINED    | Combined Log Format with Virtual Host
  COMMON       | Common Log Format
  VCOMMON      | Common Log Format with Virtual Host
  W3C          | W3C Extended Log File Format
  SQUID        | Native Squid Log Format
  CLOUDFRONT   | Amazon CloudFront Web Distribution
  CLOUDSTORAGE | Google Cloud Storage
  AWSELB       | Amazon Elastic Load Balancing
  AWSS3        | Amazon Simple Storage Service (S3)
  AWSALB       | Amazon Application Load Balancer
  CADDY        | Caddy's JSON Structured format (local/info format)
  TRAEFIKCLF   | Traefik's CLF flavor
  

  Note: Generally, you need quotes around values that include white spaces, commas, pipes, quotes, and/or brackets. Inner quotes must be escaped.

  Note: Piping data into GoAccess won't prompt a log/date/time configuration dialog, you will need to previously define it in your configuration file or in the command line.

  Note: The default GoAccess format for CADDY is the 'local/info' format. Nevertheless, if needed, you have the option to utilize a custom GoAccess log format to match your particular configuration. For additional details, refer to this post.

USER INTERFACE OPTIONS

• -c --config-dialog

  Prompt log/date configuration window on program start.

• -i --hl-header

  Color highlight active panel.

• -m --with-mouse

  Enable mouse support on main dashboard.

• --color=<fg:bg[attrs, PANEL>

  Specify custom colors for the terminal output.

  Color Syntax:

  DEFINITION space/tab colorFG#:colorBG# [attributes,PANEL]

  							FG# = foreground color [-1...255] (-1 = default term color)
  							BG# = background color [-1...255] (-1 = default term color)
  						

  Optionally, it is possible to apply color attributes (multiple attributes are comma separated), such as: bold,underline,normal,reverse,blink

  If desired, it is possible to apply custom colors per panel, that is, a metric in the REQUESTS panel can be of color A, while the same metric in the BROWSERS panel can be of color B.

  • COLOR_MTRC_HITS
  • COLOR_MTRC_VISITORS
  • COLOR_MTRC_DATA
  • COLOR_MTRC_BW
  • COLOR_MTRC_AVGTS
  • COLOR_MTRC_CUMTS
  • COLOR_MTRC_MAXTS
  • COLOR_MTRC_PROT
  • COLOR_MTRC_MTHD
  • COLOR_MTRC_HITS_PERC
  • COLOR_MTRC_HITS_PERC_MAX
  • COLOR_MTRC_VISITORS_PERC
  • COLOR_MTRC_VISITORS_PERC_MAX
  • COLOR_PANEL_COLS
  • COLOR_BARS
  • COLOR_ERROR
  • COLOR_SELECTED
  • COLOR_PANEL_ACTIVE
  • COLOR_PANEL_HEADER
  • COLOR_PANEL_DESC
  • COLOR_OVERALL_LBLS
  • COLOR_OVERALL_VALS
  • COLOR_OVERALL_PATH
  • COLOR_ACTIVE_LABEL
  • COLOR_BG
  • COLOR_DEFAULT
  • COLOR_PROGRESS

See configuration file for a sample color scheme.

• --color-scheme <1|2|3>

  Choose among terminal color schemes. 1 for the monochrome scheme. 2 for the green scheme and 3 for the Monokai scheme (shown only if terminal supports 256 colors).

• --crawlers-only

  Parse and display only crawlers (bots).

• --html-custom-css=<path.css>

  Specifies a custom CSS file path to load in the HTML report.

• --html-custom-js=<path.js>

  Specifies a custom JS file path to load in the HTML report.

• --html-report-title=<title>

  Set HTML report page title and header.

• --html-refresh=<seconds>

  Refresh the HTML report every X seconds. The value has to be between 1 and 60 seconds. The default is set to refresh the HTML report every 1 second.

• --html-prefs=<JSON>

  Set HTML report default preferences. Supply a valid JSON object containing the HTML preferences. It allows the ability to customize each panel plot. See example below.

  							--html-prefs='{"theme":"bright","perPage":5,"layout":"horizontal","showTables":true,"visitors":{"plot":{"chartType":"bar"}}}'
  						

  Note: Note: The JSON object passed needs to be a one line JSON string. For instance,
• --json-pretty-print

  Format JSON output using tabs and newlines.

• --max-items=<num>

  The maximum number of items to display per panel. The maximum can be a number between 1 and n.
  Note: Only a static HTML, CSV and JSON output allow a maximum number greater than the default value of 366 (or 50 in the real-time HTML output) items per panel.

• --no-color

  Turn off colored output. This is the default output on terminals that do not support colors.

• --no-column-names

  Don't write column names in the terminal output. By default, it displays column names for each available metric in every panel.

• --no-csv-summary

  Disable summary metrics on the CSV output.

• --no-progress

  Disable progress metrics [total requests/requests per second] when parsing a log.

• --no-tab-scroll

  Disable scrolling through panels when TAB is pressed or when a panel is selected using a numeric key.

• --no-html-last-updated

  Do not show the last updated field displayed in the HTML generated report.

• --no-parsing-spinner

  Do now show the progress metrics and parsing spinner.

• --tz=<timezone>

  Ouputs the report date/time data in the given timezone. Note that it uses the canonical timezone name. e.g., Europe/Berlin or America/Chicago or Africa/Cairo. If an invalid timezone name is given, the ouput will be in GMT. See --datetime-format in order to properly specify a timezone in the date/time format.

SERVER OPTIONS

• --addr=<address>

  Specify IP address to bind the server to. Otherwise it binds to 0.0.0.0.

  Usually there is no need to specify the address, unless you intentionally would like to bind the server to a different address within your server.

• --daemonize

  Run GoAccess as daemon (only if --real-time-html enabled).

• --user-name=<username>

  Run GoAccess as the specified user.

  Note: Note: It's important to ensure the user or the users' group can access the input and output files as well as any other files needed. Other groups the user belongs to will be ignored. As such it's advised to run GoAccess behind a SSL proxy as it's unlikely this user can access the SSL certificates.

• --origin=<url>

  Ensure clients send the specified origin header upon the WebSocket handshake. The specified origin should look exactly to the origin header field sent by the browser. e.g., --origin=http://goaccess.io

• --pid-file=<path/goaccess.pid>

  Write the daemon PID to a file when used along the --daemonize option.

• --port=<port>

  Specify the port to use. By default GoAccess listens on port 7890 for the WebSocket server. Ensure this port is opened.

• --real-time-html

  Enable real-time HTML output.

• --ws-url=<[scheme://]url[:port]>

  URL to which the WebSocket server responds. This is the URL supplied to the WebSocket constructor on the client side.

  Optionally, it is possible to specify the WebSocket URI scheme, such as ws:// or wss:// for unencrypted and encrypted connections. e.g., wss://goaccess.io

  If GoAccess is running behind a proxy, you could set the client side to connect to a different port by specifying the host followed by a colon and the port. e.g., goaccess.io:9999

  By default, it will attempt to connect to the generated report's hostname. If GoAccess is running on a remote server, the host of the remote server should be specified here. Also, make sure it is a valid host and NOT an http address.

• --ping-interval=<secs>

  Enable WebSocket ping with specified interval in seconds. This helps prevent idle connections getting disconnected.

• --fifo-in=<path/file>

  Creates a named pipe (FIFO) that reads from on the given path/file.

• --fifo-out=<path/file>

  Creates a named pipe (FIFO) that writes to the given path/file.

• --ssl-cert=<path/cert.crt>

  Path to TLS/SSL certificate. In order to enable TLS/SSL support, GoAccess requires that --ssl-cert and --ssl-key are used.
  Only if configured using --with-openssl

• --ssl-key=<path/priv.key>

  Path to TLS/SSL private key. In order to enable TLS/SSL support, GoAccess requires that --ssl-cert and --ssl-key are used.
  Only if configured using --with-openssl

FILE OPTIONS

• -

  The log file to parse is read from stdin.

• -f --log-file=<logfile>

  Specify the path to the input log file. If set in the config file, it will take priority over -f from the command line.

• -l --debug-file=<filename>

  Send all debug messages to the specified file. Needs to be configured with --enable-debug

• -p --config-file=<configfile>

  Specify a custom configuration file to use. If set, it will take priority over the global configuration file (if any).

• --invalid-requests=<filename>

  Log invalid requests to the specified file.

• --external-assets

  Output HTML assets to external JS/CSS files. Great if you are setting up Content Security Policy (CSP). This will create two separate files, goaccess.js and goaccess.css, in the same directory as your report.html file.

• --unknowns-log=<filename>

  Log unknown browsers and OSs to the specified file.

• --no-global-config

  Do not load the global configuration file. This directory should normally be /usr/etc/, /etc/ or /usr/local/etc/, unless specified with --sysconfdir=/dir at the time of running ./configure

PARSE OPTIONS

• -a --agent-list

  Enable a list of user-agents by host. For faster parsing, do not enable this flag.

• -d --with-output-resolver

  Enable IP resolver on the HTML or JSON output.

• -e --exclude-ip <IP|IP-range>

  Exclude an IPv4 or IPv6 from being counted. Ranges can be included as well using a dash in between the IPs (start-end).

  • exclude-ip 127.0.0.1
  • exclude-ip 192.168.0.1-192.168.0.100
  • exclude-ip ::1
  • exclude-ip 0:0:0:0:0:ffff:808:804-0:0:0:0:0:ffff:808:808

• -j --jobs=<1-6>

  This specifies the number of parallel processing threads to be used during the execution of the program. It determines the degree of concurrency when analyzing log data, allowing for parallel processing of multiple tasks simultaneously. It defaults to 1 thread. It's common to set the number of jobs based on the available hardware resources, such as the number of CPU cores. See --chunk-size for more info.

• -H --http-protocol=<yes|no>

  Set/unset HTTP request protocol. This will create a request key containing the request protocol + the actual request.

• -M --http-method=<yes|no>

  Set/unset HTTP request method. This will create a request key containing the request method + the actual request.

• -o --output=<json|csv|html>

  Write output to stdout given one of the following files and the corresponding extension for the output format:
  

  • /path/file.csv - Comma-separated values (CSV)
  • /path/file.json - JSON (JavaScript Object Notation)
  • /path/file.html - HTML
  
  Note that one can parse the log in a single GoAccess run and simultaneously save two outputs, for example, HTML and JSON, e.g., --output /path/to/report.html --output /path/to/report.json

• -q --no-query-string

  Ignore request's query string. i.e., www.google.com/page.htm?query => www.google.com/page.htm
  Note: Removing the query string can greatly decrease memory consumption, especially on timestamped requests.

• -r --no-term-resolver

  Disable IP resolver on terminal output.

• --444-as-404

  Treat non-standard status code 444 as 404.

• --4xx-to-unique-count

  Add 4xx client errors to the unique visitors count.

• --anonymize-ip

  Anonymize the client IP address. The IP anonymization option sets the last octet of IPv4 user IP addresses and the last 80 bits of IPv6 addresses to zeros. e.g.,

  								192.168.20.100 => 192.168.20.0
  								2a03:2880:2110:df07:face:b00c::1 => 2a03:2880:2110:df07::
  							

• --chunk-size=<256-32768>

  This determines the number of lines that form a chunk. This parameter influences the size of the data processed concurrently by each thread, allowing for parallelization of the file reading and processing tasks. The value of chunk-size affects the efficiency of the parallel processing and can be adjusted based on factors such as system resources and the characteristics of the input data.

  Low Values:
  

  If chunk-size is set too low, it might result in inefficient processing. For instance, if each chunk contains a very small number of lines, the overhead of managing and coordinating parallel processing might outweigh the benefits.

  Large Values:
  

  Conversely, if chunk-size is set too high, it could lead to resource exhaustion. Each chunk represents a portion of data that a thread processes in parallel. Setting chunk-size to an excessively large value might cause memory issues, particularly if there are many parallel threads running simultaneously.

• --anonymize-level==<1|2|3>

  Specifies the anonymization levels: 1 => default, 2 => strong, 3 => pedantic.

  ┌------------┬---------┬---------┬---------┐
  │Bits-hidden │ Level 1 │ Level 2 │ Level 3 │
  ├------------┼---------┼---------┼---------┤
  │IPv4        │ 8       │ 16      │ 24      │
  ├------------┼---------┼---------┼---------┤
  │IPv6        │ 64      │ 80      │ 96      │
  └------------┴---------┴---------┴---------┘
  

• --all-static-files

  Include static files that contain a query string.

• --browsers-file=<path>

  By default GoAccess parses an "essential/basic" curated list of browsers & crawlers. If you need to add additional browsers, use this option. Include an additional tab delimited list of browsers/crawlers/feeds etc. See config/browsers.list.
  Note: The SIZE of the list is proportional to the run time. Thus, the longer the list, the more time GoAccess will take to parse it.

• --date-spec=<date|hr|min>

  Set the date specificity to either date (default), hr to display hours or min to display minutes appended to the date.
  This is used in the visitors panel. It's useful for tracking visitors at the hour level. For instance, an hour specificity would yield to display traffic as 18/Dec/2010:19 or minute specificity 18/Dec/2010:19:59.

• --double-decode

  Decode double-encoded values. This includes, user-agent, request, and referrer.

• --enable-panel=<PANEL>

  Enable parsing/displaying the given panel. List of panels:

  • VISITORS
  • REQUESTS
  • REQUESTS_STATIC
  • NOT_FOUND
  • HOSTS
  • OS
  • BROWSERS
  • VISIT_TIMES
  • VIRTUAL_HOSTS
  • REFERRERS
  • REFERRING_SITES
  • KEYPHRASES
  • STATUS_CODES
  • REMOTE_USER
  • CACHE_STATUS
  • GEO_LOCATION
  • MIME_TYPE
  • TLS_TYPE
• --fname-as-vhost=<regex>

  Use log filename(s) as virtual host(s). POSIX regex is passed to extract the virtual host from the filename. e.g., --fname-as-vhost='[a-z]*.[a-z]*' can be used to extract from the file awesome.com.log the vhost of awesome.com.

• --hide-referrer<NEEDLE>

  Hide a referrer but still count it. Wild cards are allowed in the needle. i.e., *.bing.com.

• --hour-spec=<hour|min>

  Set the time specificity to either hour (default) or min to display the tenth of an hour appended to the hour.
  This is used in the time distribution panel. It's useful for tracking peaks of traffic on your server at specific times.

• --ignore-crawlers

  Ignore crawlers.

• --unknowns-as-crawlers

  Classify unknown OS and browsers as crawlers. As an attempt to detect non-humans more accurately, an option to classify unknown OS and browsers and crawlers help.

• --ignore-panel=<PANEL>

  Ignore parsing/displaying the given panel. List of panels:

  • VISITORS
  • REQUESTS
  • REQUESTS_STATIC
  • NOT_FOUND
  • HOSTS
  • OS
  • BROWSERS
  • VISIT_TIMES
  • VIRTUAL_HOSTS
  • REFERRERS
  • REFERRING_SITES
  • KEYPHRASES
  • STATUS_CODES
  • REMOTE_USER
  • CACHE_STATUS
  • GEO_LOCATION
  • MIME_TYPE
  • TLS_TYPE
• --ignore-referrer=<referrer>

  Ignore referrers from being counted. Wildcards allowed. e.g., *.domain.com ww?.domain.*

• --ignore-statics=<req|panel>

  Ignore static file requests.

  • req = Only ignore request from valid requests
  • panel = Ignore request from panels.
  Note: It will count them towards the total number of requests.
• --ignore-status=<STATUS>

  Ignore parsing and displaying one or multiple status code(s). For multiple status codes, use this option multiple times.

• --keep-last=<ndays>

  Keep the last specified number of days in storage. This will recycle the storage tables. e.g., keep & show only the last 7 days.

• --no-ip-validation

  Disable client IP validation. Useful if IP addresses have been obfuscated before being logged.

  Note: The log still needs to contain a placeholder for %h, usually it's a resolved IP. e.g. ord37s19-in-f14.1e100.net.
• --no-strict-status

  Disable HTTP status code validation. Some servers would record this value only if a connection was established to the target and the target sent a response. Otherwise, it could be recorded as -.

• --num-tests=<number>

  Number of lines from the access log to test against the provided log/date/time format. By default, the parser is set to test 10 lines. If set to 0, the parser won't test any lines and will parse the whole access log and thus making the processing less strict.
  
  If a line matches the given log/date/time format before it reaches number, the parser will consider the log to be valid, otherwise GoAccess will return EXIT_FAILURE and display the relevant error messages.

• --process-and-exit

  Parse log and exit without outputting data. Useful if we are looking to only add new data to the on-disk database without outputting to a file or a terminal.

• --real-os

  Display real OS names. e.g, Windows XP, Snow Leopard.

• --sort-panel=<PANEL,FIELD,ORDER>

  Sort panel on initial load. Sort options are separated by comma. Options are in the form: PANEL,METRIC,ORDER
  Available Metrics

  • BY_HITS Sort by hits
  • BY_VISITORS Sort by unique visitors
  • BY_DATA Sort by data
  • BY_BW Sort by bandwidth
  • BY_AVGTS Sort by average time served
  • BY_CUMTS Sort by cumulative time served
  • BY_MAXTS Sort by maximum time served
  • BY_PROT Sort by http protocol
  • BY_MTHD Sort by http method
  Available orders
  • ASC
  • DESC

• --static-file=<extension>

  Add static file extension. e.g.: .mp3. Extensions are case sensitive.

GEOLOCATION OPTIONS

GeoIP Legacy

Legacy GeoIP has been discontinued. If your Linux distribution does not ship with the legacy databases, you may still be able to find them through different sources. Make sure to download the .dat files.

Distributed with Creative Commons Attribution-ShareAlike 4.0 International License. https://mailfud.org/geoip-legacy/

                    # IPv4 Country database:
                    # Download the GeoIP.dat.gz
                    # gunzip GeoIP.dat.gz
                    #
                    # IPv4 City database:
                    # Download the GeoIPCity.dat.gz
                    # gunzip GeoIPCity.dat.gz
                

• -g --std-geoip

  Standard GeoIP database for less memory usage.

GeoIP2

For GeoIP2 databases, you can use DB-IP Lite databases.

DB-IP is licensed under a Creative Commons Attribution 4.0 International License. https://db-ip.com/db/lite.php

Or you can download them from MaxMind https://dev.maxmind.com/geoip/geoip2/geolite2/

                    # For GeoIP2 City database:
                    # Download the GeoLite2-City.mmdb.gz
                    # gunzip GeoLite2-City.mmdb.gz
                    #
                    # For GeoIP2 Country database:
                    # Download the GeoLite2-Country.mmdb.gz
                    # gunzip GeoLite2-Country.mmdb.gz
                

• --geoip-database <geocityfile>

  Specify path to GeoIP database file. i.e., GeoLiteCity.dat. File needs to be downloaded from maxmind.com. IPv4 and IPv6 files are supported as well. Note: --geoip-city-data is an alias of --geoip-database.
  Note: If using GeoIP2, you will need to download the City/Country database from MaxMind and use the option --geoip-database to specify the database. Currently cities are only shown in the hosts panel (per host).

OTHER OPTIONS

• -h --help

  The help.

• -V --version

  Display version information and exit.

• -s --storage

  Display current storage method. i.e., B+ Tree, Hash.

• --dcf

  Display the path of the default config file when -p is not used.

PERSISTENCE STORAGE OPTIONS

• --persist

  Persist parsed data into disk. If database files exist, files will be overwritten. This should be set to the first dataset. See examples below.

• --restore

  Load previously stored data from disk. If reading persisted data only, the database files need to exist. See --persist and examples below.

• --db-path <dir>

  Path where the on-disk database files are stored. The default value is the /tmp directory.
  

CUSTOM LOG/DATE FORMAT

GoAccess can parse virtually any web log format.

Predefined options include, Common Log Format (CLF), Combined Log Format (XLF/ELF), including virtual host, W3C format (IIS) and Amazon CloudFront (Download Distribution).

GoAccess allows any custom format string as well.

There are two ways to configure the log format. The easiest is to run GoAccess with -c to prompt a configuration window. However this won't make it permanent, for that you will need to specify the format in the configuration file.

The configuration file resides under: %sysconfdir%/goaccess.conf or ~/.goaccessrc

Note %sysconfdir% is either /etc/, /usr/etc/ or /usr/local/etc/

time-format The time-format variable followed by a space, specifies the log-format time containing any combination of regular characters and special format specifiers. They all begin with a percentage (%) sign. See `man strftime`. %T or %H:%M:%S.

Note: If a timestamp is given in microseconds, %f must be used as time-format. If the timestamp is given in milliseconds %* must be used as time-format.

date-format The date-format variable followed by a space, specifies the log-format date containing any combination of regular characters and special format specifiers. They all begin with a percentage (%) sign. See `man strftime`.

Note: If a timestamp is given in microseconds, %f must be used as date-format. If the timestamp is given in milliseconds %* must be used as date-format.

log-format The log-format variable followed by a space or \t for tab-delimited, specifies the log format string.

SPECIFIERS

• %x A date and time field matching the time-format and date-format variables. This is used when a timestamp is given instead of the date and time being in two separate variables.
• %ttime field matching the time-format variable.
• %ddate field matching the date-format variable.
• %vThe server name according to the canonical name setting (Server Blocks or Virtual Host).
• %eThis is the userid of the person requesting the document as determined by HTTP authentication.
• %CThe cache status of the object the server served.
• %hhost (the client IP address, either IPv4 or IPv6)
• %rThe request line from the client. This requires specific delimiters around the request (single quotes, double quotes, etc) to be parsable. Otherwise, use a combination of special format specifiers such as %m, %U, %q and %H to parse individual fields.
  • Note: Use either %r to get the full request OR %m, %U, %q and %H to form your request, do not use both.
• %mThe request method.
• %UThe URL path requested.
  • Note: If the query string is in %U, there is no need to use %q. However, if the URL path, does not include any query string, you may use %q and the query string will be appended to the request.
• %qThe query string.
• %HThe request protocol.
• %sThe status code that the server sends back to the client.
• %bThe size of the object returned to the client.
• %RThe "Referer" HTTP request header.
• %uThe user-agent HTTP request header.
• %KThe TLS encryption settings chosen for the connection. (In Apache LogFormat: %{SSL_PROTOCOL}x).
• %kThe TLS encryption settings chosen for the connection. (In Apache LogFormat: %{SSL_CIPHER}x).
• %MThe MIME-type of the requested resource. (In Apache LogFormat: %{Content-Type}o)
• %DThe time taken to serve the request, in microseconds.
• %TThe time taken to serve the request, in seconds with milliseconds resolution.
• %L The time taken to serve the request, in milliseconds as a decimal number.
• %n The time taken to serve the request, in nanoseconds as a decimal number.
• %^Ignore this field.
• %~Move forward through the log string until a non-space (!isspace) char is found.
• ~hThe host (the client IP address, either IPv4 or IPv6) in a X-Forwarded-For (XFF) field.

┌-------------------------------------------------┐
│XFF field                            │ specifier │
├-------------------------------------┼-----------┤
│"192.1.2.3, 192.68.33.17, 192.1.1.2" │ "~h{, }"  │
├-------------------------------------┼-----------┤
│"192.1.2.12", "192.68.33.17"         │ ~h{", }   │
├-------------------------------------┼-----------┤
│192.1.2.12, 192.68.33.17             │ ~h{, }    │
├-------------------------------------┼-----------┤
│192.1.2.14 192.68.33.17 192.1.1.2    │ ~h{ }     │
└-------------------------------------------------┘

GoAccess requires the following fields:

• a valid IPv4/6 %h
• a valid date %d
• the request %r

INTERACTIVE KEYS

• F1 or hMain help.
• F5Redraw main window.
• qQuit the program, current window or collapse active module
• o or ENTERExpand selected module or open window
• 0-9 and Shift + 0Set selected module to active
• jScroll down within expanded module
• kScroll up within expanded module
• cSet or change scheme color
• ^ fScroll forward one screen within active module
• ^ bScroll backward one screen within active module
• TABIterate modules (forward)
• SHIFT + TABIterate modules (backward)
• sSort options for active module
• /Search across all modules (regex allowed)
• nFind position of the next occurrence
• gMove to the first item or top of screen
• Gmove to the last item or bottom of screen

EXAMPLES

DIFFERENT OUTPUTS

To output to a terminal and generate an interactive report:

					# goaccess access.log
				

To generate an HTML report:

					# goaccess access.log -a -o report.html
				

To generate a JSON report:

					# goaccess access.log -a -d -o report.json
				

To generate a CSV file:

					# goaccess access.log --no-csv-summary -o report.csv
				

GoAccess also allows great flexibility for real-time filtering and parsing. For instance, to quickly diagnose issues by monitoring logs since goaccess was started:

					# tail -f access.log | goaccess -
				

And even better, to filter while maintaining opened a pipe to preserve real-time analysis, we can make use of tail -f and a matching pattern tool such as grep, awk, sed, etc:

					# tail -f access.log | grep -i --line-buffered 'firefox' | goaccess --log-format=COMBINED -
				

or to parse from the beginning of the file while maintaining the pipe opened and applying a filter

					# tail -f -n +0 access.log | grep --line-buffered 'Firefox' | goaccess -o out.html --real-time-html -
				

or to convert the log date timezone to a different timezone, e.g., Europe/Berlin

					# goaccess access.log --log-format='%h %^[%x] "%r" %s %b "%R" "%u"' --datetime-format='%d/%b/%Y:%H:%M:%S %z' --tz=Europe/Berlin --date-spec=min
				

MULTIPLE LOG FILES

There are several ways to parse multiple logs with GoAccess. The simplest is to pass multiple log files to the command line:

					# goaccess access.log access.log.1
				

It's even possible to parse files from a pipe while reading regular files:

					# cat access.log.2 | goaccess access.log access.log.1 -
				

Note that the single dash is appended to the command line to let GoAccess know that it should read from the pipe.

Now if we want to add more flexibility to GoAccess, we can do a series of pipes. For instance, if we would like to process all compressed log files access.log.*.gz in addition to the current log file, we can do:

					# zcat access.log.*.gz | goaccess access.log -
				

Note: On Mac OS X, use gunzip -c instead of zcat.

REAL TIME HTML OUTPUT

GoAccess has the ability to output real-time data in the HTML report. You can even email the HTML file since it is composed of a single file with no external file dependencies, how neat is that!

The process of generating a real-time HTML report is very similar to the process of creating a static report. Only --real-time-html is needed to make it real-time.

					# goaccess access.log -o /usr/share/nginx/html/site/report.html --real-time-html
				

By default, GoAccess will use the host name of the generated report. Optionally, you can specify the URL to which the client's browser will connect to. See http://goaccess.io/faq for a more detailed example.

					# goaccess access.log -o report.html --real-time-html --ws-url=goaccess.io
				

By default, GoAccess listens on port 7890, to use a different port other than 7890, you can specify it as (make sure the port is opened):

					 # goaccess access.log -o report.html --real-time-html --port=9870
				

And to bind the WebSocket server to a different address other than 0.0.0.0, you can specify it as:

					# goaccess access.log -o report.html --real-time-html --addr=127.0.0.1
				

Note: To output real time data over a TLS/SSL connection, you need to use --ssl-cert=<cert.crt> and --ssl-key=<priv.key>.

WORKING WITH DATES

Another useful pipe would be filtering dates out of the web log

The following will get all HTTP requests starting on 05/Dec/2010 until the end of the file.

					# sed -n '/05\/Dec\/2010/,$ p' access.log | goaccess -a -
				

or using relative dates such as yesterdays or tomorrows day:

					# sed -n '/'$(date '+%d\/%b\/%Y' -d '1 week ago')'/,$ p' access.log | goaccess -a -
				

If we want to parse only a certain time-frame from DATE a to DATE b, we can do:

					# sed -n '/5\/Nov\/2010/,/5\/Dec\/2010/ p' access.log | goaccess -a -
				

If we want to preserve only certain amount of data and recycle storage, we can keep only a certain number of days. For instance to keep & show the last 5 days:

                    # goaccess access.log --keep-last=5
				

VIRTUAL HOSTS

Assuming your log contains the virtual host field. For instance:

					vhost.com:80 10.131.40.139 - - [02/Mar/2016:08:14:04 -0600] "GET /shop/bag-p-20 HTTP/1.1" 200 6715 "-" "Apache (internal dummy connection)"
				

And you would like to append the virtual host to the request in order to see which virtual host the top urls belong to

					awk '$8=$1$8' access.log | goaccess -a -
				

To exclude a list of virtual hosts you can do the following:

					# grep -v "`cat exclude_vhost_list_file`" vhost_access.log | goaccess -
				

FILES, STATUS CODES & BOTS

To parse specific pages, e.g., page views, html, htm, php, etc. within a request:

					# awk '$7~/\.html|\.htm|\.php/' access.log | goaccess -
				

Or to parse page views with out extesion, e.g., /contact /profile/user

					# awk '$7!~/\..*$/' access.log | goaccess -
				

Note, $7 is the request field for the common and combined log format, (without Virtual Host), if your log includes Virtual Host, then you probably want to use $8 instead. It's best to check which field you are shooting for, e.g.:

					# tail -10 access.log | awk '{print $8}'
				

Or to parse a specific status code, e.g., 500 (Internal Server Error):

					# awk '$9~/500/' access.log | goaccess -
				

Or multiple status codes:

					# tail -f -n +0 access.log | awk '$9~/3[0-9]{2}|5[0-9]{2}/' | goaccess -o out.html -
				

And to get an estimated overview of how many bots (crawlers) are hitting your server:

					# tail -F -n +0 access.log | grep -i --line-buffered 'bot' | goaccess -
				

SERVER

Also, it is worth pointing out that if we want to run GoAccess at lower priority, we can run it as:

					# nice -n 19 goaccess access.log -a
				

and if you don't want to install it on your server, you can still run it from your local machine:

					# ssh -n root@server 'tail -f /var/log/apache2/access.log' | goaccess -
				

Note: SSH requires -n so GoAccess can read from stdin. Also, make sure to use SSH keys for authentication as it won't work if a passphrase is required.

PROCESSING LOGS INCREMENTALLY

GoAccess has the ability to process logs incrementally through its internal storage and dump its data to disk. It works in the following way:

• A dataset must be persisted first with --persist, then the same dataset can be loaded with
• --restore. If new data is passed (piped or through a log file), it will append it to the original dataset.

Examples

					// last month access log
                    # goaccess access.log.1 --persist
				

then, load it with

					// append this month access log, and preserve new data
                    # goaccess access.log --restore --persist
				

To read persisted data only (without parsing new data)

                    # goaccess --restore
				

NOTES

Each active panel has a total of 366 items or 50 in the real-time HTML report. The number of items is customizable using max-items However, only a static HTML, CSV and JSON output allow a maximum number greater than the default value of 366 items per panel.

A hit is a request (line in the access log), e.g., 10 requests = 10 hits. HTTP requests with the same IP, date, and user agent are considered a unique visit.

If you want to enable dual-stack support, please use --addr=:: instead of the default --addr=0.0.0.0.

The generated report will attempt to reconnect to the WebSocket server after 1 second with exponential backoff. It will attempt to connect 20 times.

BUGS

If you think you have found a bug, please send me an email to

AUTHOR

Gerardo Orellana. For more details about it, or new releases, please visit http://goaccess.io