[squid-users] Tagged ACLs?

Alex Rousskov rousskov at measurement-factory.com
Sat May 20 18:53:22 UTC 2017


On 05/20/2017 10:07 AM, Ralf Hildebrandt wrote:

> we want to create statistics on how many
> clients were "caught" trying to access blocked sites.
> 
> Currently, we're grepping the log for TCP_DENIED in conjunction with the
> patterns from the ACLs. [...]  
> Is there any way around this? Like "tagging" rejects or logging the
> ACL that caused the rejection?

Yes, append an annotate_transaction ACL with a distinct annotation value
to each distinct http_access rule. If you have many such rules, this
should be automated, of course.

Log the added annotation using %note logformat code.

FWIW, the idea of logging "the [name of the] ACL that caused the
rejection" (a la deny_info) does not work well in general because the
same ACL name may appear in many rules (in general). And the idea of
logging the matched http_access rule "number" makes logged values very
fragile -- a single change in http_access lines may change the meaning
of half of the logged values.


HTH,

Alex.



More information about the squid-users mailing list