[squid-users] Squid4 '%<la' empty sometimes

Amos Jeffries squid3 at treenet.co.nz
Wed Apr 4 15:42:44 UTC 2018 

On 04/04/18 21:15, Peter Viskup wrote:
> On Linux Virtual Server balanced cluster the %<la is empty when Squid
> errors ERR_ACCESS_DENIED or TCP_MEM_HIT are logged.
> 
> This is causing issue when processing logs on remote machine (e.g.
> ELK). The "proxy node" cannot be differentiated.

It sounds to me like you are misinterpreting what is happening and/or
using the wrong logformat tags/codes.

The denied or HIT transactions you mention *do not* involve any upstream
server. Thus no upstream server connection. No logformat codes will log
details from a non-existing thing.

NP: the set of correct/valid values includes "-" for non-existing data
on most logformat codes, only a few use "0" for legacy reasons.


> 
> This string used in logformat to differentiate Squid instance and LVS node:
> proxyPort=%lp proxyIP=%la proxyNode=%<la

All of those are displaying Squid endpoint IP:port details. They just
apply to various of the multiple different connections Squid used (or
not) for the particular HTTP transaction.

"Local" in the docs there means Squid end of the TCP connections.


If you want to log the LVS IP:port details you need to log the IP:port
details of the *other* end of the connection between Squid and the LVS.

The '<' and '>' respectively denote the data being from the
client<-Squid connection or Squid->server connection(s).

NP: There many be many Squid->server connections actually used in the
event of failures. Only the final one is recorded.


> 
> Example:
> for ERR_ACCESS_DENIED and TCP_MEM_HIT entries:
> proxyPort=3128 proxyIP=10.x.y.z proxyNode=-
> 

A client (unknown) connected to Squid 10.x.y.z:3128.
No server involvement.


> for ERR_DIR_LISTING entry:
> proxyPort=3128 proxyIP=10.x.y.z proxyNode=10.x.y.a
> 

A client (unknown) connected to Squid 10.x.y.z:3128.
Squid contacted a server (unknown) from IP 10.x.y.a:(port unknown).


> How to differentiate the nodes in such cases?


So can you clarify what you mean by "Linux Virtual Server balanced
cluster" ?

Is that a cluster of LB devices/VM in front (or behind) a Squid proxy?
 or some Squid running on each node of the cluster?
 or something else?


Amos

More information about the squid-users mailing list