The format of the log entry can be customized according to the documentation here:
Some format tokens that are mentioned, but not really called out are $cookie and $header.
Using these tokens, you can ask OC4J to inject the specified cookie/header value into the access-log.
For example, if you wanted to log the value of the JSESSIONID cookie for each request, you'd configure the format string as follows:
<access-log path="../log/default-web-access.log" format="When OC4J runs, it will log entries in default-web-access.log according to the pattern that was specified:
$ip - $user '$request' $status $cookie:JSESSIONID" />
22.214.171.124 - 'oc4jadmin' 'GET /peek/ HTTP/1.1' 200 c2796b83b9d7a79cfa4c491792f6783fd64a00cd3a17d13548c189d8d6e6543f