Hello! I'm currently trying to automate the report generation for a project which contains several deployed nodes, these nodes write to different logs, and I'm generating the report for those logs. Each of these logs relates to a day of accesses and they are rotated daily around 3AM.

# Concatenate log files into a single file
zcat -f $LOGS | sort -k $SORT > $PARSED_LOG

# Process log variations
bash $BASEDIR/process-log-variations.sh $PARSED_LOG

# Import log data into BTREE databases
goaccess --process-and-exit -p $conf $PARSED_LOG

# Generate HTML from BTREE databases
goaccess -p $conf -o $REPDIR/report.html

My script receives several log files and concatenates them together, sorts them by the date field, and then using SED removes variation fields, such as IDs, Hashes, and others from the requests URL replacing them with the word "$var". A single log file is generated from this process which I then feed to GoAcess, first persisting the data and then updating the report HTML with data from the last log file.

The problem is that, after loading 4/5 days of logs, in the "Requested Files" panel, the behavior in the following image happens:

As you can see, there are several "GET /api/auth/token" when only one should be appearing. Does anyone know why this happen? Is it a bug or am I doing something wrong?

I'm using 0.9.2 & encountering what seems to be a crash?

 18435 Bus error               goaccess -f logs.log --geoip-city ~/GeoLiteCity3.dat >> logs.html

The log file is rather large 22 Gigabytes / 75-million+ records - at the end of the process (@ ~ [57,000/s]) when it comes to write or sometime into this process. FYI I'm using a working config / setting that works with other smaller files.

Is there a debug build with gdb or any other tool I can use to debug the issue? Or is there some other limit I may be overlooking? Meanwhile I'll try a build of the latest edition. Many thanks in advanced.

PS - Its probably worthwhile mentioning that the system has 32GB in physical RAM as well as another 32GB in swap.

Hello, I have a problem with "--real-time-html"

when i use command: root@pa:~# goaccess -f /var/log/apache2/access.log -a -o /var/www/html/index.html --real-time-html i get in terminal the following: root@pa:~# goaccess -f /var/log/apache2/access.log -a -o /var/www/html/index.html --real-time-html WebSocket server ready to accept new client connections

but on my index.html i have static page with "Last Updated" when i use a command, not real time page.

so when i use command root@pa:~# goaccess -f /var/log/apache2/access.log -a -o /var/www/html/index.html --real-time-html i have the same result like root@pa:~# goaccess -f /var/log/apache2/access.log -a -o /var/www/html/index.html

Please, help me to make it real time

Hello,

I installed freebsd 11.2 and i am trying to compile goaccess 1.3. My configure command is:

sudo ./configure --enable-geoip=mmdb

However i am getting this error:

checking for MMDB_open in -lmaxminddb... no
configure: error: 
    *** Missing development files for libmaxminddb library.

The pkg info for this library is:

$ sudo pkg install libmaxminddb
you have mail
Password:
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
Checking integrity... done (0 conflicting)
The most recent version of packages are already installed

Do you know when goaccess is failing to compile it?

Thanks

here is my command: goaccess api.crm.51zan.production.access.log -a -o test.html then comes out: WebSocket server ready to accept new client connections

in the access.conf, I didn't enable real-time too!!!

Running the following docker run -p 7890:7890 -v "/mnt/user/appdata/goaccess/data":"/srv/data":rw -v "/mnt/user/appdata/goaccess/html":"/srv/report":rw -v "/mnt/user/appdata/letsencrypt/log/nginx":"/srv/logs":ro allinurl/goaccess goaccess /srv/logs/access.log -o report.html --real-time-html --no-global-config --config-file=/srv/data/goaccess.conf parses the access log and returns WebSocket server ready to accept new client connections.

Unfortunately accessing the the front-end results in an empty page, curl confirms:

# curl http://localhost:7890/ -vvvv
*   Trying localhost...
* TCP_NODELAY set
* Connected to localhost (localhost) port 7890 (#0)
> GET / HTTP/1.1
> Host: localhost:7890
> User-Agent: curl/7.57.0
> Accept: */*
> 
< HTTP/1.1 400 Invalid Request
* no chunk, no close, no size. Assume close to signal end
< 
* Closing connection 0

Using different ports for the front-end and the WebSocket server (--ws-url=0.0.0.0:7891 --port=7890)produces the same result.

Hi,

I am currently running on GoAccess v0.9.6 and installed on Centos 6.5 (Final) server.

whenever i try to run my log using "goaccess -f logfile" (without .log)

I get the error as below:-

Fatal error has occurred
Error occured at: src/parser.c - verify_formats - 1938
No time format was found on your conf file.

I have change the date-format and log-format respectively:-

date-format %d/%b/%Y
log-format %h %^[%d:%^] "%r" %s %b "%R" "%u"

No luck and keeps getting the same error....Need your kind advice on this.

Here is my config file settings:-

######################################
# Time Format Options (required)
######################################
#time-format %H:%M:%S
#time-format %T
#   
#   
#time-format %f

######################################
# Date Format Options (required)
######################################
# Apache log date format. The following date format works with any 
# of the Apache's log formats below.
#   
date-format %d/%b/%Y
#   
#date-format %Y-%m-%d
#   
#   
#date-format %f

######################################
# Log Format Options (required)
######################################
#   
#   
# NCSA Combined Log Format
#   
#log-format %h %^[%d:%t %^] "%r" %s %b "%R" "%u"
log-format %h %^[%d:%^] "%r" %s %b "%R" "%u"

Thanks.

I am able to see interactive screen with all statistics for my access log but not able to load the html from browser. It says loading but never loads. Please help me out with loading the html report generated.

command used:

/usr/local/bin/goaccess /opt/IBMIHS/logs/webqa/access_log.20190321 --log-format='%h %v %U %s [%d:%t %^] %D "%u"' --date-format='%d/%b/%Y' --time-format=%T --enable-panel=REFERRERS --enable-panel=KEYPHRASES

command used for generating report.html:

/usr/local/bin/goaccess /opt/IBMIHS/logs/webqa/access_log.20190321 --log-format='%h %v %U %s [%d:%t %^] %D "%u"' --date-format='%d/%b/%Y' --time-format=%T --enable-panel=REFERRERS --enable-panel=KEYPHRASES -o report.html

Hello! I'm using goaccess to track evemilano's log but I have some problem :( Any idea how to solve this?

GoAccess - version 0.8.3 - Oct 24 2014 17:27:50

Fatal error has occurred
Error occured at: goaccess.c - main - 832
Nothing valid to process.

LOG example:

162.158.151.53 - - [03/Feb/2016:11:02:50 -0500]  "GET /servizi-web-marketing/ HTTP/1.1" 500 278 "https://www.evemilano.com/servizi-seo/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.97 Safari/537.36" 0.128 0.128 . BYPASS
141.101.105.70 - - [03/Feb/2016:11:02:57 -0500]  "POST /wp-cron.php?doing_wp_cron=1454515377.2718749046325683593750 HTTP/1.1" 200 31 "-" "WordPress/4.4.2; https://www.evemilano.com" 0.156 0.156 . -
162.158.151.53 - - [03/Feb/2016:11:02:58 -0500]  "GET / HTTP/1.1" 200 15326 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.97 Safari/537.36" 1.437 1.437 . BYPASS

==48347== GoAccess 0.9.5 crashed by Signal 11
==48347==
==48347== VALUES AT CRASH POINT
==48347==
==48347== Line number: 84899
==48347== Offset: 84642
==48347== Invalid data: 183
==48347== Piping: 0
==48347== Response size: 0 bytes
==48347==
==48347== STACK TRACE:
==48347==
==48347== 0 goaccess(sigsegv_handler+0x166) [0x408446]
==48347== 1 /lib/x86_64-linux-gnu/libpthread.so.0(+0xfcb0) [0x7f95d7f39cb0]
==48347== 2 /lib/x86_64-linux-gnu/libc.so.6(+0x1314d7) [0x7f95d7c9d4d7]
==48347== 3 goaccess(str2enum+0x39) [0x407679]
==48347== 4 goaccess(ignore_panel+0x28) [0x414ab8]
==48347== 5 goaccess() [0x40c697]
==48347== 6 goaccess() [0x40ccba]
==48347== 7 goaccess(main+0x1e0) [0x4055b0]
==48347== 8 /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xed) [0x7f95d7b8d76d]
==48347== 9 goaccess() [0x406205]
==48347==
==48347== Please report it by opening an issue on GitHub:
==48347== https://github.com/allinurl/goaccess/issues

Hi @allinurl .

I have deployed the new version 1.4.1 on my servers. Just yesterday, I had to do some statistics for a new partner. And everything was ok, for statistical LOGs.

The good, the bad and the ugly

However, this morning I checked the statistics for my sites in real-time. In all instances, I was overloaded to run GoAccess. What used to be only 40% of CPU processing in previous version, today is around 100%. The only exception was the WordPress instance, which has only 1 LOG.

So, I found the prank, in the code below:

static void
perform_tail_follow (uint64_t * size1, const char *fn) {
...
  len = MIN (glog->snippetlen, size2);
  if ((fread (buf, len, 1, fp)) != 1 && ferror (fp))
    FATAL ("Unable to fread the specified log file '%s'", fn);

  if (glog->snippet[0] != '\0' && buf[0] != '\0' && memcmp (glog->snippet, buf, len) != 0)
    *size1 = glog->bytes = 0;

The code looks ok. But, wait... There is only one variable/value glog-> snippet and I have 4 LOGs for real-time processing.

Therefore, GoAccess will continue processing the last LOG. But for the other 3 LOGs it will always reprocess from the beginning. As I write here, my sites are registering more than 600 million requests for each. My Gosh.

The problem does not occur for the processing of the LOGs in non-real-time, because the read_log routine calls set_initial_persisted_data ~~after each record~~ for each LOG, before process them. The same does not happen in perform_tail_follow and therefore glog-> snippet has the value of only the last LOG. And so, the behaviour will be ok if you have only 1 LOG.

I hope I was clear. :)

I have a simple log but I cannot figure out how to parse the datetime component

sample line

{"time":1673085237.244,"client":"10.10.10.10","method":"GET","request":"GET /search/? HTTP/1.1","request_length":390,"status":"307","bytes_sent":238,"gzip_ratio":"","body_bytes_sent":0,"referer":"","user_agent":"python-requests/2.28.1","accept_encoding":"gzip","accept":"*/*","request_time":0.002}

goaccess sample_access_logs.txt -o report.html --date-format %* --time-format %* --log-format '{"time":%T,"client":"%h","method":"%m","request":"%r","request_length":%^,"status":"%s","bytes_sent":"%b","gzip_ratio":"%^","body_bytes_sent":%^,"referer":"%R","user_agent":"%u","accept_encoding":"%^","accept":"%^","request_time":%L}'

This produces the output

A valid date is required
Format Errors - Verify your log/date/time format

If I change it to

goaccess sample_access_logs.txt -o report.html --date-format %* --time-format %* --log-format '{"time":%d,"client":"%h","method":"%m","request":"%r","request_length":%^,"status":"%s","bytes_sent":"%b","gzip_ratio":"%^","body_bytes_sent":%^,"referer":"%R","user_agent":"%u","accept_encoding":"%^","accept":"%^","request_time":%L}'


Token '1673085237.244' doesn't match specifier '%d'

requests like the following are ending up in the invalid-requests.log file (goaccess 1.7):

aaa.bbb.ccc.ddd - - [31/Dec/2022:06:27:37 +0000] "GET /api/?a=proxy:unix:aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa|http://reddit.com/? HTTP/1.1" 404 3951 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36" "-" 0.706 TLSv1.2

not a big loss not being counted in the stats, but i don't see anything invalid about per se...

Could you just add the static link to https://goaccess.io/release-notes in every new release (or label, as releases are not used)?

This way one could easily check what actually has changed in a new version.

So i love goaccess so far and i've set it up via docker to monitor the log file of a nginx proxy manager instance. 👍

The instance however has multiple log files that use different log formats and it seems (i could be wrong) that goaccess can't support that in the goaccess.conf file when using the real time html setup on a hosted port.

This would be awesome to view multiple logs perhaps in a tabbed view. I'm more than happy to provide the default log formats that go access can read for this as i do have it working one at a time but not both.

Seeing stats per vhost is useful, especially to identify one site on a server that is being attacked or hogging resources.

--files-as-vhosts when combined with multiple input files would effectively give this feature without modifying the log format.

This would be especially useful on servers using control panels like cpanel or plesk where you could glob the input files like goaccess /var/log/apache2/domlogs// or goaccess /var/www/vhosts//logs/accesslog

I am using goaccess version - 1.6. with Build configure arguments: --enable-utf8 --enable-geoip=mmdb I have set the geoip-database in config file and also try to add --geoip-database=/usr/local/share/GeoIP/GeoLite2-City.mmdb in command line arguments but it always show Country database on HTML page. GEO LOCATION CONTINENT > COUNTRY SORTED BY UNIQUE HITS [, AVGTS, CUMTS, MAXTS]