Provided by: goaccess_0.9.4-1build1_amd64 
NAME
goaccess - fast web log analyzer and interactive viewer.
SYNOPSIS
goaccess [-f input-file][-c][-r][-d][-m][-q][-o][-h][...]
DESCRIPTION
goaccess is a free (GPL) real-time web log analyzer and interactive viewer that runs in a terminal in
*nix systems. It provides fast and valuable HTTP statistics for system administrators that require a
visual server report on the fly. GoAccess parses the specified web log file and outputs the data to the X
terminal. Features include:
General Statistics:
This panel gives a summary of several metrics, some of them are: number of valid and invalid
requests, time taken to analyze the data set, unique visitors, requested files, static files (CSS,
ICO, JPG, etc) HTTP referrers, 404s, size of the parsed log file and bandwidth consumption.
Unique visitors
This panel shows metrics such as hits, unique visitors and cumulative bandwidth per date. HTTP
requests containing the same IP, the same date, and the same user agent are considered a unique
visitor. By default, it includes web crawlers/spiders.
Requested files
This panel displays the most highly requested files on your web server. It shows hits, unique
visitors, and percentage, along with the cumulative bandwidth, protocol, and the request method
used.
Requested static files
Lists the most frequently static files such as: JPG, CSS, SWF, JS, GIF, and PNG file types, along
with the same metrics as the last module. Additional static files can be added to the
configuration file.
404 or Not Found
Listed like previous panels, containing the same metrics. This panel lists the top recurrent HTTP
404s.
Hosts This panel has detailed information on the hosts themselves. It displays the same metrics as
previous panels, such as number of hits, visitors, cumulative bandwidth. This is great to spot
aggressive crawlers and identifying who's eating your bandwidth.
Expanding the panel can display more information such as host's reverse DNS lookup result, country
of origin and city. If the -a argument is enabled, a list of user agents can be displayed by
selecting the desired IP address, and then pressing ENTER.
Operating Systems
This panel will report which operating system the host used when it hit the server. It attempts to
provide the most specific version of each operating system.
Browsers
This panel will report which browser the host used when it hit the server. It attempts to provide
the most specific version of each browser.
Visit Times
This panel will display an hourly report. This option displays 24 data points, one for each hour
of the day.
Referrers URLs
If the host in question accessed the site via another resource, or was linked/diverted to you from
another host, the URL they were referred from will be provided in this panel. See command line
option to ignore specific referrers. disabled by default.
Referring Sites
This panel will display only the host part but not the whole URL. The URL where the request came
from.
Keyphrases
It reports keyphrases used on Google search, Google cache, and Google translate that have lead to
your web server. At present, it only supports Google search queries. By default this panel is
disabled. See `--ignore-panel` in your configuration file to enable it. disabled by default.
Geo Location
Determines where an IP address is geographically located. Statistics are broken down by continent
and country. It needs to be compiled with GeoLocation support.
HTTP Status Codes
The values of the numeric status code to HTTP requests.
NOTE: Optionally and if configured, all panels can display the average time taken to serve the request.
STORAGE
There are three storage options that can be used with GoAccess. Choosing one will depend on your
environment and needs.
GLib Hash Tables
On-memory storage provides better performance at the cost of limiting the dataset size to the
amount of available physical memory. By default GoAccess uses GLib Hash Tables. If your dataset
can fit in memory, then this will perform fine. It has average memory usage and pretty good
performance. For better performance with memory trade-off see Tokyo Cabinet on-memory hash
database.
Tokyo Cabinet On-Disk B+ Tree
Use this storage method for large datasets where it is not possible to fit everything in memory.
The B+ tree database is slower than any of the hash databases since data has to be committed to
disk. However, using an SSD greatly increases the performance. You may also use this storage
method if you need data persistence to quickly load statistics at a later date.
Tokyo Cabinet On-Memory Hash Database
Although this may vary across different systems, in general the on-memory hash database should
perform slightly better than GLib Hash Tables.
CONFIGURATION
Multiple options can be used to configure GoAccess. For a complete up-to-date list of configure options,
run ./configure --help
--enable-debug
Compile with debugging symbols and turn off compiler optimizations.
--enable-utf8
Compile with wide character support. Ncursesw is required.
--enable-geoip
Compile with GeoLocation support. MaxMind's GeoIP is required.
--enable-tcb=<memhash|btree>
Compile with Tokyo Cabinet storage support. memhash will utilize Tokyo Cabinet's on-memory hash
database. btree will utilize Tokyo Cabinet's on-disk B+ Tree database.
--disable-zlib
Disable zlib compression on B+ Tree database.
--disable-bzip
Disable bzip2 compression on B+ Tree database.
OPTIONS
The following options can be supplied to the command or specified in the configuration file. If specified
in the configuration file, long options need to be used without prepending --.
--time-format=<timeformat>
The time_format variable followed by a space, specifies the log format time containing any
combination of regular characters and special format specifiers. They all begin with a percentage
(%) sign. See `man strftime`. %T or %H:%M:%S.
Note that if a timestamp is given in microseconds, %f must be used as time-format
--date-format=<dateformat>
The date_format variable followed by a space, specifies the log format date containing any
combination of regular characters and special format specifiers. They all begin with a percentage
(%) sign. See `man strftime`. %Y-%m-%d.
Note that if a timestamp is given in microseconds, %f must be used as date-format
--log-format=<logformat>
The log_format variable followed by a space or \t for tab-delimited, specifies the log format
string.
Note that if there are spaces within the format, the string needs to be enclosed in double quotes.
Inner quotes need to be escaped.
-a --agent-list
Enable a list of user-agents by host. For faster parsing, do not enable this flag.
-c --config-dialog
Prompt log/date configuration window on program start.
-d --with-output-resolver
Enable IP resolver on HTML|JSON output.
-e --exclude-ip=<IP|IP-range>
Exclude an IPv4 or IPv6 from being counted. Ranges can be included as well using a dash in
between the IPs (start-end).
Examples:
exclude-ip 127.0.0.1
exclude-ip 192.168.0.1-192.168.0.100
exclude-ip ::1
exclude-ip 0:0:0:0:0:ffff:808:804-0:0:0:0:0:ffff:808:808
-f --log-file=<logfile>
Specify the path to the input log file. If set in the config file, it will take priority over -f
from the command line.
-g --std-geoip
Standard GeoIP database for less memory usage.
-h --help
The help.
-H --http-protocol
Include HTTP request protocol if found. This will create a request key containing the request
protocol + the actual request.
-i --hl-header
Color highlight active panel.
-M --http-method
Include HTTP request method if found. This will create a request key containing the request method
+ the actual request.
-m --with-mouse
Enable mouse support on main dashboard.
-o --output-format=<json|csv>
Write output to stdout given one of the following formats: csv : Comma-separated values (CSV) json
: JSON (JavaScript Object Notation)
-p --config-file=<configfile>
Specify a custom configuration file to use. If set, it will take priority over the global
configuration file (if any).
-q --no-query-string
Ignore request's query string. i.e., www.google.com/page.htm?query => www.google.com/page.htm.
Note: Removing the query string can greatly decrease memory consumption, especially on timestamped
requests.
-r --no-term-resolver
Disable IP resolver on terminal output.
-s --storage
Display current storage method. i.e., B+ Tree, Hash.
-V --version
Display version information and exit.
--color-scheme<1|2>
Choose among color schemes. 1 for the default grey scheme. 2 for the green scheme.
--no-color
Turn off colored output. This is the default output on terminals that do not support colors.
---color=<fg:bg[attrs, PANEL]>
Specify custom colors for the terminal output.
Color Syntax
DEFINITION space/tab colorFG#:colorBG# [attributes,PANEL]
FG# = foreground color [-1...255] (-1 = default term color)
BG# = background color [-1...255] (-1 = default term color)
Optionally, it is possible to apply color attributes (multiple attributes are comma separated),
such as: bold, underline, normal, reverse, blink
If desired, it is possible to apply custom colors per panel, that is, a metric in the REQUESTS
panel can be of color A, while the same metric in the BROWSERS panel can be of color B.
Available color definitions:
COLOR_MTRC_HITS
COLOR_MTRC_VISITORS
COLOR_MTRC_DATA
COLOR_MTRC_BW
COLOR_MTRC_AVGTS
COLOR_MTRC_CUMTS
COLOR_MTRC_MAXTS
COLOR_MTRC_PROT
COLOR_MTRC_MTHD
COLOR_MTRC_PERC
COLOR_MTRC_PERC_MAX
COLOR_PANEL_COLS
COLOR_BARS
COLOR_ERROR
COLOR_SELECTED
COLOR_PANEL_ACTIVE
COLOR_PANEL_HEADER
COLOR_PANEL_DESC
COLOR_OVERALL_LBLS
COLOR_OVERALL_VALS
COLOR_OVERALL_PATH
COLOR_ACTIVE_LABEL
COLOR_BG
COLOR_DEFAULT
COLOR_PROGRESS
See configuration file for a sample color scheme.
--no-column-names
Don't write column names in the terminal output. By default, it displays column names for each
available metric in every panel.
--html-report-title=<title>
Set HTML report page title and header.
--debug-file=<debugfile>
Send all debug messages to the specified file. Needs to be configured with --enable-debug
--invalid-requests=<filename>
Log invalid requests to the specified file.
--no-global-config
Do not load the global configuration file. This directory should normally be /usr/local/etc,
unless specified with --sysconfdir=/dir.
--real-os
Display real OS names. e.g, Windows XP, Snow Leopard.
--sort-panel=<PANEL,FIELD,ORDER>
Sort panel on initial load. Sort options are separated by comma. Options are in the form:
PANEL,METRIC,ORDER
Available metrics:
BY_HITS
BY_VISITORS
BY_DATA
BY_BW
BY_USEC
BY_PROT
BY_MTHD
Available orders:
ASC
DESC
--static-file=<extension>
Add static file extension. e.g.: .mp3 Extensions are case sensitive.
--all-static-files
Include static files that contain a query string.
--double-decode
Decode double-encoded values. This includes, user-agent, request, and referer.
--ignore-crawlers
Ignore crawlers from being counted.
--ignore-panel=PANEL
Ignore parsing and displaying the given panel.
Available panels:
VISITORS,
REQUESTS,
REQUESTS_STATIC,
NOT_FOUND,
HOSTS,
OS,
BROWSERS,
VISIT_TIMES,
REFERRERS,
REFERRING_SITES,
KEYPHRASES,
GEO_LOCATION,
STATUS_CODES,
--ignore-referer=<referer>
Ignore referers from being counted. Wildcards allowed. e.g., *.domain.com ww?.domain.*
--444-as-404
Treat non-standard status code 444 as 404.
--4xx-to-unique-count
Add 4xx client errors to the unique visitors count.
--no-progress
Disable progress metrics [total requests/requests per second].
--geoip-database=<geofile>
Specify path to GeoIP database file. i.e., GeoLiteCity.dat. File needs to be downloaded from
maxmind.com. IPv4 and IPv6 files are supported as well. Note: `--geoip-city-data` is an alias of
`--geoip-database`.
--keep-db-files
Persist parsed data into disk. This should be set to the first dataset prior to use `load-from-
disk`. Setting it to false will delete all database files when exiting the program.
Only if configured with --enable-tcb=btree
--load-from-disk
Load previously stored data from disk. Database files need to exist. See keep-db-files.
Only if configured with --enable-tcb=btree
--db-path=<dir>
Path where the on-disk database files are stored. The default value is the /tmp directory.
Only if configured with --enable-tcb=btree
--xmmap=<num>
Set the size in bytes of the extra mapped memory. The default value is 0.
Only if configured with --enable-tcb=btree
--cache-lcnum=<num>
Specifies the maximum number of leaf nodes to be cached. If it is not more than 0, the default
value is specified. The default value is 1024. Setting a larger value will increase speed
performance, however, memory consumption will increase. Lower value will decrease memory
consumption.
Only if configured with --enable-tcb=btree
--cache-ncnum=<num>
Specifies the maximum number of non-leaf nodes to be cached. If it is not more than 0, the default
value is specified. The default value is 512.
Only if configured with --enable-tcb=btree
--tune-lmemb=<num>
Specifies the number of members in each leaf page. If it is not more than 0, the default value is
specified. The default value is 128.
Only if configured with --enable-tcb=btree
--tune-nmemb=<num>
Specifies the number of members in each non-leaf page. If it is not more than 0, the default value
is specified. The default value is 256.
Only if configured with --enable-tcb=btree
--tune-bnum=<num>
Specifies the number of elements of the bucket array. If it is not more than 0, the default value
is specified. The default value is 32749. Suggested size of the bucket array is about from 1 to 4
times of the number of all pages to be stored.
Only if configured with --enable-tcb=btree
--compression=<zlib|bz2>
Specifies that each page is compressed with ZLIB|BZ2 encoding.
Only if configured with --enable-tcb=btree
Processing Logs Incrementally
GoAccess has the ability to process logs incrementally through the on-disk B+Tree database. It
works in the following way:
A data set must be persisted first with --keep-db-files, then the same data set can be loaded with
--load-from-disk. If new data is passed (piped or through a log file), it will append it to the
original data set. To preserve the data at all times, --keep-db-files must be used. If --load-
from-disk is used without --keep-db-files, database files will be deleted upon closing the
program.
CUSTOM LOG/DATE FORMAT
GoAccess can parse virtually any web log format.
Predefined options include, Common Log Format (CLF), Combined Log Format (XLF/ELF), including virtual
host, Amazon CloudFront (Download Distribution), Google Cloud Storage and W3C format (IIS).
GoAccess allows any custom format string as well.
There are two ways to configure the log format. The easiest is to run GoAccess with -c to prompt a
configuration window. Otherwise, it can be configured under ~/.goaccessrc or the %sysconfdir%.
time_format
The time_format variable followed by a space, specifies the log format time containing any
combination of regular characters and special format specifiers. They all begin with a percentage
(%) sign. See `man strftime`. %T or %H:%M:%S.
Note: If a timestamp is given in microseconds, %f must be used as time_format
date_format
The date_format variable followed by a space, specifies the log format date containing any
combination of regular characters and special format specifiers. They all begin with a percentage
(%) sign. See `man strftime`. e.g., %Y-%m-%d.
Note: If a timestamp is given in microseconds, %f must be used as date_format
log_format
The log_format variable followed by a space or \t , specifies the log format string.
%x A date and time field matching the time_format and date_format variables. This is used when a
timestamp is given instead of the date and time being in two separated variables.
%t time field matching the time_format variable.
%d date field matching the date_format variable.
%h host (the client IP address, either IPv4 or IPv6)
%r The request line from the client. This requires specific delimiters around the request (as single
quotes, double quotes, or anything else) to be parsable. If not, we have to use a combination of
special format specifiers as %m %U %H.
%q The query string.
%m The request method.
%U The URL path requested.
Note: If the query string is in %U, there is no need to use %q. However, if the URL path, does
not include any query string, you may use %q and the query string will be appended to the request.
%H The request protocol.
%s The status code that the server sends back to the client.
%b The size of the object returned to the client.
%R The "Referrer" HTTP request header.
%u The user-agent HTTP request header.
%D The time taken to serve the request, in microseconds as a decimal number.
%T The time taken to serve the request, in seconds with milliseconds resolution.
%L The time taken to serve the request, in milliseconds as a decimal number.
Note: If multiple time served specifiers are used at the same time, the first option specified in
the format string will take priority over the other specifiers.
%^ Ignore this field.
%~ Move forward through the log string until a non-space (!isspace) char is found.
GoAccess requires the following fields:
%h a valid IPv4/6
%d a valid date
%r the request
INTERACTIVE MENU
F1 or h
Main help.
F5 Redraw main window.
q Quit the program, current window or collapse active module
o or ENTER
Expand selected module or open window
0-9 and Shift + 0
Set selected module to active
j Scroll down within expanded module
k Scroll up within expanded module
c Set or change scheme color.
TAB Forward iteration of modules. Starts from current active module.
SHIFT + TAB
Backward iteration of modules. Starts from current active module.
^f Scroll forward one screen within an active module.
^b Scroll backward one screen within an active module.
s Sort options for active module
/ Search across all modules (regex allowed)
n Find the position of the next occurrence across all modules.
g Move to the first item or top of screen.
G Move to the last item or bottom of screen.
EXAMPLES
The simplest and fastest usage would be:
# goaccess -f access.log
That will generate an interactive text-only output.
To generate full statistics we can run GoAccess as:
# goaccess -f access.log -a
To generate an HTML report:
# goaccess -f access.log -a > report.html
To generate a JSON file:
# goaccess -f access.log -a -d -o json > report.json
To generate a CSV file:
# goaccess -f access.log -o csv > report.csv
The -a flag indicates that we want to process an agent-list for every host parsed.
The -d flag indicates that we want to enable the IP resolver on the HTML | JSON output. (It will take
longer time to output since it has to resolve all queries.)
The -c flag will prompt the date and log format configuration window. Only when curses is initialized.
Filtering can be done through the use of pipes. For instance, using grep to filter specific data and then
pipe the output into GoAccess. This adds a great amount of flexibility to what GoAccess can display. For
example:
If we would like to process all access.log.*.gz we can do:
# zcat access.log.*.gz | goaccess
OR
# zcat -f access.log* | goaccess
(On Mac OS X, use `gunzip -c` instead of `zcat`).
Another useful pipe would be filtering dates out of the web log
The following will get all HTTP requests starting on 05/Dec/2010 until the end of the file.
# sed -n '/05\/Dec\/2010/,$ p' access.log | goaccess -a
If we want to parse only a certain time-frame from DATE a to DATE b, we can do:
sed -n '/5\/Nov\/2010/,/5\/Dec\/2010/ p' access.log | goaccess -a
Note that this could take longer time to parse depending on the speed of sed.
To exclude a list of virtual hosts you can do the following:
grep -v "`cat exclude_vhost_list_file`" vhost_access.log | goaccess
Also, it is worth pointing out that if we want to run GoAccess at lower priority, we can run it as:
# nice -n 19 goaccess -f access.log -a
and if you don't want to install it on your server, you can still run it from your local machine:
# ssh root@server 'cat /var/log/apache2/access.log' | goaccess -a
NOTES
For now, each active window has a total of 366 items. Eventually this will be customizable. These 366
items are all available by default in the CSV and JSON exports, and as an expandable panel in the HTML
report (upper-right corner).
Piping a log to GoAccess will disable the real-time functionality. This is due to the portability issue
on determining the actual size of STDIN. However, a future release *might* include this feature.
BUGS
If you think you have found a bug, please send me an email to goaccess@prosoftcorp.com or use the issue tracker in https://github.com/allinurl/goaccess/issues
AUTHOR
Gerardo Orellana <goaccess@prosoftcorp.com> For more details about it, or new releases, please visit http://goaccess.io