My usual policy is log nothing, particularly since my usual policy is also to make everything static. Who cares who is grabbing a static html file, right?

Dynamic sites are a different story, with obvious attack and breakage vectors. For every dynamic subdomain of, I log IP address, time, URL requested, status code, and number of bytes sent.

Server errors are logged as well and may contain more information, depending on the application and how angry it got. For instance, if the app dropped a core file, that memory dump will probably contain the full contents of the HTTP request, response, and associated metadata. I reserve the right to hold onto that data for as long as necessary to debug the problem to my satisfaction.

I do not log user agent or referrer data.

Logs are rotated monthly.

If you are a logged-in user of any subdomain of, assume I'm logging everything and have access to every file and database record. Because of course I do.