Controlling log formats in Squid

The Squid proxy comes with prepackaged logging formats like these:

logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %un %Sh/%<A %mt
logformat squidmime %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %un %Sh/%<A %mt [%>h] [%<h]
logformat common %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st %Ss:%Sh
logformat combined %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh

Unfortunately the %ru parameter strips off any HTTP GET parameters that could have been found in the query. Changing it to %rp fixes that, but strips off the host part of the URL as a result!

One solution to that was to extract the Host header from the raw headers >h (the %{Host}>h portion), and to replace %rm with %rp.

logformat mynewcombinedformat %>a %ui %un [%tl] "%rm %{Host}>h %rp HTTP/%rv" %>Hs %<st "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh

Somewhat better now, but it does not show the port being CONNECTed to (for example hostname:443 for SSL connections), as it is only shown as part of the %ru parameter… -_-

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s