time elapsed remotehost code/status bytes method URL rfc931 peerstatus/peerhost type
Therefore, an access.log entry usually consists of (at least) 10 columns separated by one ore more spaces:
time A Unix timestamp as UTC seconds with a millisecond resolution. You can convert Unix timestamps into something more human readable using this short perl script:
s/^\d+\.\d+/localtime $&/e;
duration The elapsed time considers how many milliseconds the transaction busied the cache. It differs in interpretation between TCP and UDP:
- For HTTP this is basically the time from having received the request to when Squid finishes sending the last byte of the response.
- For ICP, this is the time between scheduling a reply and actually sending it.
Please note that the entries are logged after the reply finished being sent, not during the lifetime of the transaction.
client address The IP address of the requesting instance, the client IP address. The client_netmask configuration option can distort the clients for data protection reasons, but it makes analysis more difficult. Often it is better to use one of the log file anonymizers. Also, the log_fqdnconfiguration option may log the fully qualified domain name of the client instead of the dotted quad. The use of that option is discouraged due to its performance impact.
result codes This column is made up of two entries separated by a slash. This column encodes the transaction result:
The cache result of the request contains information on the kind of request, how it was satisfied, or in what way it failed. Please refer toSquid result codes for valid symbolic result codes. Several codes from older versions are no longer available, were renamed, or split. Especially the ERR_ codes do not seem to appear in the log file any more. Also refer to Squid result codes for details on the codes no longer available. The status part contains the HTTP result codes with some Squid specific extensions. Squid uses a subset of the RFC defined error codes for HTTP. Refer to section status codes for details of the status codes recognized.
bytes The size is the amount of data delivered to the client. Mind that this does not constitute the net object size, as headers are also counted. Also, failed requests may deliver an error page, the size of which is also logged here.
request method The request method to obtain an object. Please refer to section request-methods for available methods. If you turned offlog_icp_queries in your configuration, you will not see (and thus unable to analyze) ICP exchanges. The PURGE method is only available, if you have an ACL for "method purge" enabled in your configuration file.
URL This column contains the URL requested. Please note that the log file may contain whitespace for the URI. The default configuration foruri_whitespace denies or truncates whitespace, though.
rfc931 The eighth column may contain the ident lookups for the requesting client. Since ident lookups have performance impact, the default configuration turns ident_loookups off. If turned off, or no ident information is available, a "-" will be logged.
hierarchy code The hierarchy information consists of three items:
Any hierarchy tag may be prefixed with TIMEOUT_, if the timeout occurs waiting for all ICP replies to return from the neighbours. The timeout is either dynamic, if the icp_query_timeout was not set, or the time configured there has run up.
A code that explains how the request was handled, e.g. by forwarding it to a peer, or going straight to the source. Refer to Hierarchy Codesfor details on hierarchy codes and removed hierarchy codes.
- The IP address or hostname where the request (if a miss) was forwarded. For requests sent to origin servers, this is the origin server's IP address. For requests sent to a neighbor cache, this is the neighbor's hostname. NOTE: older versions of Squid would put the origin server hostname here.
type The content type of the object as seen in the HTTP reply header. Please note that ICP exchanges usually don't have any content type, and thus are logged "-". Also, some weird replies have content types ":" or even empty ones.
