Hoping someone can point out what is wrong with the LogFormat I'm attempting to use with the access logs generated by Amazon ELB.
Multi-line for ServerFault readability:
%time5 %elb %host %host_port %host_r %host_r_port %request_processing_time
%backend_processing_time %response_processing_time %code
%backend_status_code %received_bytes %bytesd %methodurl
Example log entry (after cleanup):
2014-08-28T17:59:14 awseb-e-2-AWSEBLoa-AAAAAAAA 123.123.123.123 44153 10.123.123.123 80 0.000046 0.536613 0.000045 200 200 0 13129 "GET /path/to/web/app HTTP/1.1"
Logs are cleaned up before getting sent to AWStats. I use the following replacements:
cat ${s3_logs_dir}/* \
| sed -e "s/\(\.[0-9]\{1,3\}\):\([0-9]\{2,5\}\)/\1 \2/g" \
| sed -e "s/\(:[0-9]\{2\}\)\(\.[0-9]\{6\}Z\)/\1/g" \
| sed -e "s/http:\/\/www\.example\.com:80//g" \
> ${combined_log} 2>>${log_file}
First I detach host from port, secondly I remove microseconds from the %time5 ISO date, and finally I tried removing the absolute URL from the request.
Best Answer
Turns out it appears to be a bug with
%time5LogFormat option in AWStats.I converted YYYY-MM-DDTHH:MM:SS to YYYY-MM-DD HH:MM:SS and used
%time2, and the logs were parsed successfully.