Another log question

1. Caddy version (caddy version):

v2.0.0 h1:pQSaIJGFluFvu8KDGDODV8u4/QRED/OPyIR+MWYYse8=

2. How I run Caddy:

system service

a. System environment:

Raspberry Pi direct install

b. Command:

caddy start or run if needed.

c. Service/unit/compose file:


d. My complete Caddyfile or JSON config: {
        log {
                output file /var/log/caddy/pihole.log
        @internal {
        handle @internal {
        respond 403 {
        basicauth {
                bob password

3. The problem I’m having:

I am trying to get a Fail2ban filter that works with the Caddy log output. I have had many problems but the current one is I cannot seem to figure out why the format randomly changes in my log.

Here is what I was seeing in my log

{"level":"error","ts":1593001009.4403296,"logger":"http.log.access.log1","msg":"handled request","request":{"method":"GET","uri":"/admin","proto":"HTTP/2.0","remote_addr":"","host":"","headers":{"Cookie":["PHPSESSID=igbc7rd207g8e214mmbehno3vo"],"Accept":["text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"],"Accept-Language":["en-US,en;q=0.5"],"Upgrade-Insecure-Requests":["1"],"User-Agent":["Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.18363"],"Accept-Encoding":["gzip, deflate, br"]},"tls":{"resumed":false,"version":771,"ciphersuite":49196,"proto":"h2","proto_mutual":true,"server_name":""}},"common_log":" - - [24/Jun/2020:08:16:49 -0400] \"GET /admin HTTP/2.0\" 401 0","duration":0.000069276,"size":0,"status":401,"resp_headers":{"Server":["Caddy"],"Www-Authenticate":["Basic realm=\"restricted\""]}}

Then out of the blue is started being formatted like this

2020/06/25 11:58:09.089	error	http.log.access.log1	handled request	{"request": {"method": "GET", "uri": "/admin", "proto": "HTTP/2.0", "remote_addr": "", "host": "", "headers": {"Authorization": ["Basic XXXXXXXXXXXXXX"], "Upgrade-Insecure-Requests": ["1"], "User-Agent": ["Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36"], "Sec-Fetch-Dest": ["document"], "Sec-Fetch-User": ["?1"], "Accept-Encoding": ["gzip, deflate, br"], "Accept-Language": ["en-US,en;q=0.9"], "Cookie": ["PHPSESSID=7r3m587jhqjbdpg75i17sqn2lg"], "Cache-Control": ["max-age=0"], "Accept": ["text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9"], "Sec-Fetch-Site": ["none"], "Sec-Fetch-Mode": ["navigate"]}, "tls": {"resumed": false, "version": 772, "ciphersuite": 4867, "proto": "h2", "proto_mutual": true, "server_name": ""}}, "common_log": " - - [25/Jun/2020:07:58:09 -0400] \"GET /admin HTTP/2.0\" 401 0", "duration": 0.000196627, "size": 0, "status": 401, "resp_headers": {"Server": ["Caddy"], "Www-Authenticate": ["Basic realm=\"restricted\""]}}

When I first started trying to get a filter to work the format was the same as the second log above. Then it changed to the first one and now it’s back to the second one again. I can’t seem to figure out what I did to changed it. I didn’t change anything in the Caddyfile so I’m at a loss as what causes it.

4. Error messages and/or full log output:


5. What I already tried:

Researching what causes that to happen. I prefer the second one as the DTG is at the beginning, but how can I make sure it doesn’t revert back to the other one?

Thanks in advance

6. Links to relevant resources:

The former log style is just json format and the latter is console (the current default).

  • format describes how to encode, or format, the logs. See Format modules below. Default console

log (Caddyfile directive) — Caddy Documentation

You don’t have a format specified in your Caddyfile, so the default is chosen; you can lock either option in by specifying e.g. format console and that should remain consistent from here on out.

Ah I didn’t see anything about it just choosing one at random if you didn’t specify it. I guess that was a pretty easy answer. Thanks.

It doesn’t choose one at random.

This topic was automatically closed after 30 days. New replies are no longer allowed.