Controlling log formats in Squid

The Squid proxy comes with prepackaged logging formats like these:

logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %un %Sh/%<A %mt
logformat squidmime %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %un %Sh/%<A %mt [%>h] [%<h]
logformat common %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st %Ss:%Sh
logformat combined %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh

Unfortunately the %ru parameter strips off any HTTP GET parameters that could have been found in the query. Changing it to %rp fixes that, but strips off the host part of the URL as a result!

One solution to that was to extract the Host header from the raw headers >h (the %{Host}>h portion), and to replace %rm with %rp.

logformat mynewcombinedformat %>a %ui %un [%tl] "%rm %{Host}>h %rp HTTP/%rv" %>Hs %<st "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh

Somewhat better now, but it does not show the port being CONNECTed to (for example hostname:443 for SSL connections), as it is only shown as part of the %ru parameter… -_-

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s