[squid-users] Tagged ACLs?
Alex Rousskov
rousskov at measurement-factory.com
Sat May 20 18:53:22 UTC 2017
On 05/20/2017 10:07 AM, Ralf Hildebrandt wrote:
> we want to create statistics on how many
> clients were "caught" trying to access blocked sites.
>
> Currently, we're grepping the log for TCP_DENIED in conjunction with the
> patterns from the ACLs. [...]
> Is there any way around this? Like "tagging" rejects or logging the
> ACL that caused the rejection?
Yes, append an annotate_transaction ACL with a distinct annotation value
to each distinct http_access rule. If you have many such rules, this
should be automated, of course.
Log the added annotation using %note logformat code.
FWIW, the idea of logging "the [name of the] ACL that caused the
rejection" (a la deny_info) does not work well in general because the
same ACL name may appear in many rules (in general). And the idea of
logging the matched http_access rule "number" makes logged values very
fragile -- a single change in http_access lines may change the meaning
of half of the logged values.
HTH,
Alex.
More information about the squid-users
mailing list