Hmmmm... very interesting. Sooo, I tried with different browsers. I cleared the cache before each one. The zeros are just an example... there's a real IP there.
If I do a google image search on one of my sites I get the following when using Chrome
00.000.00.00 - - [03/Feb/2013:12:03:13 -0500] "GET /Pictures/nature/PineNeedlesSnow2.JPG HTTP/1.1" 200 49008 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.17 (KHTML, like Gecko) Chrome/24.0.1312.57 Safari/537.17"
and when clicking on view original, the only entry is for favicon:
00.000.00.00 - - [03/Feb/2013:12:16:03 -0500] "GET /favicon.ico HTTP/1.1" 404 466 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.17 (KHTML, like Gecko) Chrome/24.0.1312.57 Safari/537.17" In Firefox
I get this, and no entry when clicking on view original:
00.000.00.00 - - [03/Feb/2013:12:17:34 -0500] "GET /cooking/KitchenScene.JPG HTTP/1.1" 200 13623 "-" "Mozilla/5.0 (Windows NT 6.1; rv:14.0) Gecko/20100101 Firefox/14.0.1"
BUT... If I use Internet Explorer
I get this:
22.214.171.124 - - [03/Feb/2013:12:09:35 -0500] "GET /cooking/MacNCheeseFancy.jpg HTTP/1.1" 200 35403 "http://www.google.com/blank.html" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)"
followed by this if I click on view original image:
00.000.00.00 - - [03/Feb/2013:12:12:43 -0500] "GET /cooking/MacNCheeseFancy.jpg HTTP/1.1" 200 35403 "http://www.google.com/url?sa=i&rct=j&q=site%3Aexample.com&source=images&cd=&docid=90m4oaipR4GhwM&tbnid=nBS5yY36dxzeOM:&ved=0CAIQjBw&url=http%3A%2F%2Fwww.example.com%2Fcooking%2FMacNCheeseFancy.jpg&ei=0ZkOUbX0A8qDyAHPsYHgCw&bvm=bv.41867550,d.aWc&psig=AFQjCNF0jR1QLe4EDRiejSDG4B2VOt3nmA&ust=1359997750423096" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)"
Sooooo... it's looking like what shows up in the Apache logs is dependent on which browser you're using.
Which browsers are you guys using?
In any case, it's sounding like a comprehensive solution is gonna be a tad bit more involved - I'll try to plow through the Apache documentation, and see if I can figure out how to pull the relevant info from the header file... but it may take a while for me to translate all that technospeak into things my brain can comprehend!
BTW Lucy, the second number (in your case 376) is indeed supposed to be the amount of data transferred, although that does sound a bit small to be an image.
[edited by: Catia at 5:51 pm (utc) on Feb 3, 2013]