RE: [squid-users] Squid 3.0 - log analysis

From: Maciek Iwanowski <maciek.iwanowski_at_glasspartnership.co.uk>
Date: Fri, 27 Jun 2008 15:37:14 +0100

OK, I'll reply to myself :]

Documentation in squid.conf says:

tl Local time. Optional strftime format argument %d/%b/%Y:%H:%M:%S
%z

It seems that it is not true. Default strftime argument is:
%d/%b/%Y:%H:%M:%S

Quick fix for this is just to modify default combined log format
definition:

logformat combined %>a %ui %un [%{%d/%b/%Y:%H:%M:%S %z}tl] "%rm %ru
HTTP/%rv" %Hs %<st "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh

M.

-----Original Message-----
From: Maciek Iwanowski [mailto:maciek.iwanowski_at_glasspartnership.co.uk]
Sent: 27 June 2008 14:52
To: squid-users_at_squid-cache.org
Subject: RE: [squid-users] Squid 3.0 - log analysis

Unfortunately output of emulate_httpd_log is not providing enough
information (lack of user agent).

This is why I'm struggling to get logformat working.

It seems that timestamp output is different with emulate_httpd_log. How
to force squid to log time in this way without emulating httpd logs?

M.

-----Original Message-----
From: Amos Jeffries [mailto:squid3_at_treenet.co.nz]
Sent: 27 June 2008 13:47
To: Maciek Iwanowski
Cc: squid-users_at_squid-cache.org
Subject: Re: [squid-users] Squid 3.0 - log analysis

Maciek Iwanowski wrote:
> Hello,
>
> I'm trying to force Urchin to understand Squid combined log files. I
> created custom logformat that should match typical Apache combined log
> perfectly:
>
> logformat combined %>a %ui %un [%tl] "%rm %rp HTTP/%rv" %Hs %<st
> "%{Referer}>h" "%{User-Agent}>h"
>
> At the moment I'm trying to make AWStats reading the logs and
> unfortunately it keeps complaining about log format. File is readable
> however for some unknown reason cannot be parsed properly.
>
> This is the example line from the log file:
>
> 172.16.5.143 - - [27/Jun/2008:11:35:14] "GET
/modules/system/system.css
> HTTP/1.1" 304 463 "http://gls-tleo.dev/news/current" "Mozilla/5.0
(X11;
> U; Linux i686; en-GB; rv:1.9) Gecko/2008061015 Firefox/3.0"
>
> Has anyone come across this sort of problem?

The Apache combined format is built into squid. You can get it properly
by just setting:

   emulate_httpd_log on
   access_log /file/path

It also appears to be available for any single log file under the
built-in format name "combined" even if emulate_httpd_log is turned off
in general.

Your format has %rp where apache has %ru, and is missing the %Ss:%Sh
terminating details.

Amos

-- 
Please use Squid 2.7.STABLE3 or 3.0.STABLE7
Received on Fri Jun 27 2008 - 14:37:17 MDT

This archive was generated by hypermail 2.2.0 : Fri Jun 27 2008 - 12:00:05 MDT