Squid_ The Definitive Guide - Duane Wessels [123]
Note that most of these codes may be preceded by TIMEOUT_ to indicate that a timeout occurred while waiting for ICP/HTCP replies. For example:
1066038165.382 345 193.233.46.21 TCP_MISS/200 2836
GET http://www.caida.org/home/images/home.jpg
TIMEOUT_CLOSEST_DIRECT/213.219.122.19 image/jpeg
You can adjust the timeout with the icp_query_timeout directive.
Configuration Directives That Affect access.log
Following are the configuration file directives that affect the access.log in one way or another.
log_icp_queries
This directive, enabled by default, causes Squid to log all ICP queries. If you're running a busy parent cache, this may make your access.log files huge. To save space, disable this directive:
log_icp_queries off
If you disable ICP query logging, I suggest that you monitor the number of queries, either through the cache manager or with SNMP.
emulate_httpd_log
The access.log file has two formats: common and native. The common format is the same as most HTTP servers (e.g., Apache) use. It contains less information than Squid's native format. However, you might want to use the common log-file format if you use Squid as a surrogate (see Chapter 15). The common format may also be useful if you have log-file analysis tools that know how to parse it. Use this directive to enable the common format:
emulate_httpd_log on
See the site http://www.w3.org/Daemon/User/Config/Logging.html#common-logfile-format, for a description of this format.
log_mime_hdrs
Use the log_mime_hdrs directive to make Squid log the HTTP request and response headers:
log_mime_headers on
When enabled, Squid appends the request and response headers to access.log. This adds two fields to each line. Each field is surrounded by square brackets to make parsing easier. Certain characters are encoded to keep the log file readable. Table 13-2 shows the encoding scheme.
Table 13-2. Character encoding rules for HTTP headers in access.log
Character
Encoding
Newline
\n
Carriage return
\r
Backslash
\\
[
%5b
]
%5d
%
%25
ASCII 0-31
%xx (hexadecimal value)
ASCII 127-255
%xx (hexadecimal value)
log_fqdn
By default, Squid puts client IP addresses in the access.log. You can record hostnames, when available, by enabling this directive:
log_fqdn on
This causes Squid to make reverse DNS lookups for the client's address when it receives a request. If an answer is available by the time the request is complete, Squid places it in the third field.
ident_lookup_access
This access rule list determines whether or not Squid makes an RFC 1413 ident query for the client's TCP connection. By default, Squid doesn't issue ident queries. To enable this feature, simply add one or more rules:
acl All src 0/0
ident_lookup_access allow All
If an answer is available by the time the request is complete, Squid places it in the eighth field. If you are also using HTTP authentication, that username is written instead of the ident answer.
log_ip_on_direct
When Squid forwards a cache miss to an origin server, it records the origin server's IP address in the ninth field. You can disable this directive so that Squid writes the hostname instead:
log_ip_on_direct off
In this case, the hostname comes from the URI. If the URI contains an IP address, Squid doesn't convert it to a hostname.
client_netmask
This directive exists to provide some level of privacy for your users. Rather than logging the entire client IP address, you can mask off some bits. For example:
client_netmask 255.255.255.0
With this setting, all client IP addresses in access.log have 0 as the last octet:
1066036246.918 35 163.11.255.0 TCP_IMS_HIT/304 266 GET http://...
1066036246.932 16 163.11.255.0 TCP_IMS_HIT/304 266 GET http://...
1066036247.616 313 140.132.252.0 TCP_MISS/200 1079 GET http://...
1066036248.598 44459 140.132.252.0 TCP_MISS/500 1531 GET http://...
1066036249.230 17 170.210.173.0 TCP_IMS_HIT/304 265 GET http://...
1066036249.752 2135 140.132.252.0 TCP_MISS/200 50230