# Viewing my Caddy access logs

Published 2025-01-06

I recently stumbled upon Goaccess. It's a web log analyser. And it's pretty awesome.

It was good timing, because the blog is new and I was curious to see if I was getting hits. It turns out - Not really. At least not from anything that resembles a human. What really interested me about Goaccess was that it provides a really nice terminal dashboard, and i'm a huge fan of terminal based apps. It can also produce a real-time HTML report, which is also really nice.

To start viewing the logs, I run the goaccess command with the --log-format parameter, followed by the path to access.log.

sudo goaccess --log-format=caddy /var/log/caddy/access.log

I'm using Caddy to serve the blog, which uses a JSON structured log format. Logs aren't enabled by default, but they can be enabled by modifying the CaddyFile with the following config.

g9h.io {
        log {
                format json
                output file /var/log/caddy/access.log
        }
}

On opening Goaccess i'm greeted with some metrics. Suffice to say, the blog isn't very popular...

Total Requests  12 Unique Visitors  10 Requested Files 5 Referrers  0
Valid Requests  12 Log Parsing Time 1s Static Files    2 Log Size   12.14 KiB
Failed Requests 0  Excl. IP Hits    0  Not Found       1 Tx. Amount 23.28 KiB
Log Source      /var/log/caddy/access.log

The dashboard shows a plethora of information such as hit count, user-agent, time distribution, referring sites and a bunch of other things. A panel that has proven to be useful so far is Not Found URLs (404), which highlighted that I didn't have a favicon.ico (I had accidentally deleted it without realising). Another useful "feature" of this panel is that it can highlight some shady visitors to your site.

Hits     h% Vis.     v% Tx. Amount Avg. T.S. Cum. T.S. Max. T.S. Mtd Proto    Data
---- ------ ---- ------ ---------- --------- --------- --------- --- -------- ----
   1  8.33%    0  0.00%    0.0   B 698.00 us 698.00 us 698.00 us GET HTTP/1.1 /.git/config

What's that? It looks like someone is trying to find my git config. Fortunately I haven't mis-configured my web server to include such files, but I can see how this might happen.

Unfortunately there doesn't appear to be a way to drill down into the request to see the source IP address. I don't know if it's an intentional design decision to not link the requests with the source IP, but it would be a welcome feature. I retrieved the IP from the log directly to do some investigation.

sudo cat /var/log/caddy/access.log | grep config

Once I had the IP, I checked the Visitor Hostnames and IPs panel in Goaccess, and it looks like the IP resolves to an AWS EC2 instance in us-east-2. I decided to send an abuse report to the nice people at trustandsafety@support.aws.com to see what they think. I suspect my efforts will be futile, but I can at least try and make the Internet a slightly better place.

Final thoughts

Goaccess is a great little tool for analysing web logs, and i'll definitely be keeping in my tool belt to track visitors to this blog.