1. Yes, the raw logs show everything that goes on on your site, as far as they've been configured to do. When using frames, the browser downloads each frame individually, so you'll have a call for both index.htm and header.htm.

2. I'm not quite sure. As far as I believe, it should mean that the file was never downloaded. And, I don't think Yahoo would have used up 20 gigs. I don't think that indexing your entire forums would have taken up that much bandwidth. And Yahoo wouldn't download your .rar files. It would just make note of them. (If it did, Yahoo would suffer major problems trying to index file-hosting sites!)

3. Your log files should be relevant to the area where your server is located. According to the log snippet you posted, your server is located in an area using Mountain Standard Time (probably Arizona).

4. To quickly get you started on what each field is:

• 66.151.164.208 - The IP address making the request.
• The first hyphen is normal as it indicates that the information for that specific field could not be found. This information is normally not found in most log files.
• The second hyphen again refers to information the can not be found. This hyphen is replaced by a userid when mod_auth is being used.
• [30/Jun/2008:01:36:50 -0700] - The datestamp. The request was made on June 30, 2008 at 1:36 and 50 seconds AM. -0700 refers to the timezone. Mountain Standard Time is always UTC-7 or UTC -0700 hours.
• "GET /forum/index.php?action=who HTTP/1.1" is the request made by the browser. The browser is requesting to be sent /forum/index.php?action=who over HTTP version 1.1
• 200 - the status code returned. 200 indicates a status of "OK" and is the normal result for any existing web page (besides 304 - "Not Modified").
• 2596 refers to the size of the data sent back to the browser.
• "http://www.gunreal.com/forum/index.php" is the referrer for the request.
• "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.14) Gecko/20080404 Firefox/2.0.0.14" is the "User-Agent HTTP request header." It's just like a server signature. So, we know the request was made from a Windows XP computer, that the browser uses the Gecko rendering interface, and that the browser is Mozilla compatible. The browser also happens to be Firefox 2.0.0.14. There's a lot of info that can be pulled out of this.

    You can fine the entire reference here.

---

Good thing for Restore Session in Firefox or I would have lost this entire post after typing the whole thing.

Oh, Oh!! I just looked at my file and I may have found something. Requests for index.htm may sometimes be listed as "GET / HTTP/1.1". This means the browser was requesting the index of the site, but referenced it as nothing so that it got the default page. These entries should be directly followed by a call for header.htm. Anything that requests index.htm is probably someone who has made your site a favorite and is requesting the specific page. I don't know why that wouldn't be followed by a header.htm request though.

As for why Yahoo is using up so much bandwidth, I have no idea. My server at my house is regularly hit by search engines, but I'm on vacation and have no access to the log files to see what is logged. Just make sure your not looking at people coming from a Yahoo search that are using up the bandwidth. In this case, Yahoo would be listed as the referring address. Even if you're not worried, I would seriously looking as to why Yahoo is downloading 20 gigs. That's serious abuse to the server for just a search engine!

Always happy to help ^^