[squid-users] squid v4: logformat log the last denied ACL object

David Touzeau david at articatech.com
Thu Apr 18 07:18:41 UTC 2019 

Le 15/04/2019 à 22:41, Alex Rousskov a écrit :
> On 4/15/19 8:01 AM, David Touzeau wrote:
>
>> Is it possible, sometimes to better understand a bunch of ACLs to log
>> the last matches or a set of matched acls objects:
>> 192.168.1.235 - - [15/Apr/2019:15:59:30 +0200] "GET
>> http://www.msftncsi.com/ncsi.txt HTTP/1.1" 200 211 "-" "curl/7.52.1"
>> TCP_MISS:HIER_DIRECT text/plain objects1,objects2
> Yes, it is possible to do something like that in modern Squids, but
> covering all ACLs in a non-trivial squid.conf would require tedious
> manual work or automation. Here is a rough untested recipe:
>
> 1. For each named ACL x that you want to access-log, create a wrapper
> annotation ACL called matchAndLogX:
>
>     acl x ...
>     acl annotateAfterX annotate_transaction matchedAcls+=x
>     acl matchAndLogX all-of x annotateAfterX
>
>
> 2. For each named ACL x wrapped in step 1, replace all its uses in old
> squid.conf directives with the matchAndLogX ACLs defined in step 1. For
> example:
>
>     http_access deny x y
>
> becomes
>
>     http_access deny matchAndLogX matchAndLogY
>
>
> 3. Add matchedAcls annotation to your logformat definition to log
> annotations accumulated by the wrapper ACLs defined in step 1:
>
>     logformat myAccessRecord ...  %note{matchedAcls}
>     access_log ... logformat=myAccessRecord ...
>
>
> Depending on your actual configuration, you may be able to reduce the
> amount of logging/wrapping if you annotate groups of matching ACLs
> rather than each individual ACL. For example:
>
>      acl annotateAfterX annotate_transaction matchedAcls+=(x,y)
>      http_access deny x y annotateAfterXandY
>
>
> Needless to say, adding such annotations manually to a non-trivial
> configuration is a lot of error-prone work! Automating wrapping,
> monitoring cache.log with elevated debugging levels (see debug_options),
> or hacking Squid to log the info you need is a better approach in many
> (most?) cases.
>
>
> HTH,
>
> Alex.
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

Thanks !!!

Will try both options

More information about the squid-users mailing list