How to log only certain result/status codes with Squid

loggingsquid

By default Squid logs all access information including 'successes' and 'failures'. I'm interested in logging only 'failures'. In other words, I want to do something like log only Squid DENIED result codes, or, alternatively, don't log successful HTTP transactions. Regardless of how I define 'success' and 'failure', I need to be able to define more specifically what sort of access information Squid will write to the log file. Does anybody know how to do this?

Best Answer

You can achieve this functionality with ACLs, though there are some tricks to it.

The main trick is to make sure that you don't accidentally check binary connections for http_status codes. Squid never sees status codes for binary connections and will throw a warning in cache.log for binary connection it sees if you mess this up.

Here is a sample config that will write all http success and redirections as well as all binary connections that finish opening a socket (we don't have success/failure visibility beyond that) to success.log, and all http failure codes and binary connections that fail to open a socket to failure.log.

acl CONNECT method CONNECT

# http status codes (http://wiki.squid-cache.org/SquidFaq/SquidLogs)
acl success_codes http_status 100-199 # informational
acl success_codes http_status 200-299 # successful transactions
acl success_codes http_status 300-399 # redirection

acl failure_codes http_status 400-499 # client error
acl failure_codes http_status 500-599 # server error

acl success_hier hier_code HIER_DIRECT
acl failure_hier hier_code HIER_NONE

acl failure all-of CONNECT failure_hier
acl failure all-of !CONNECT failure_codes

acl success all-of CONNECT success_hier
acl success all-of !CONNECT success_codes

access_log stdio:/usr/local/squid/var/logs/success.log logformat=squid success
access_log stdio:/usr/local/squid/var/logs/failure.log logformat=squid failure

The problem with this config is that it disables the default log file and will not log anything that doesn't match one of those two ACLs. Now, I'm pretty confident that I've written my ACLs well and that I've accounted for all possibilities, but this would still make me nervous, so you might want to add another log file just to catch anything that happens to miss both ACLs

access_log stdio:/usr/local/squid/var/logs/unknown.log logformat=squid !success !failure

Or you can just define success and set failure to !success

acl CONNECT method CONNECT

# http status codes (http://wiki.squid-cache.org/SquidFaq/SquidLogs)
acl success_codes http_status 100-199 # informational
acl success_codes http_status 200-299 # successful transactions
acl success_codes http_status 300-399 # redirection

acl success_hier hier_code HIER_DIRECT
acl failure_hier hier_code HIER_NONE

acl success all-of CONNECT success_hier
acl success all-of !CONNECT success_codes

access_log stdio:/usr/local/squid/var/logs/success.log logformat=squid success
access_log stdio:/usr/local/squid/var/logs/failure.log logformat=squid !success

Best Answer

Related Solutions

How to make squid log full request and full responses

Problem with squid log files

Related Topic