[squid-users] squid v4: logformat log the last denied ACL object
Alex Rousskov
rousskov at measurement-factory.com
Mon Apr 15 20:41:25 UTC 2019
On 4/15/19 8:01 AM, David Touzeau wrote:
> Is it possible, sometimes to better understand a bunch of ACLs to log
> the last matches or a set of matched acls objects:
> 192.168.1.235 - - [15/Apr/2019:15:59:30 +0200] "GET
> http://www.msftncsi.com/ncsi.txt HTTP/1.1" 200 211 "-" "curl/7.52.1"
> TCP_MISS:HIER_DIRECT text/plain objects1,objects2
Yes, it is possible to do something like that in modern Squids, but
covering all ACLs in a non-trivial squid.conf would require tedious
manual work or automation. Here is a rough untested recipe:
1. For each named ACL x that you want to access-log, create a wrapper
annotation ACL called matchAndLogX:
acl x ...
acl annotateAfterX annotate_transaction matchedAcls+=x
acl matchAndLogX all-of x annotateAfterX
2. For each named ACL x wrapped in step 1, replace all its uses in old
squid.conf directives with the matchAndLogX ACLs defined in step 1. For
example:
http_access deny x y
becomes
http_access deny matchAndLogX matchAndLogY
3. Add matchedAcls annotation to your logformat definition to log
annotations accumulated by the wrapper ACLs defined in step 1:
logformat myAccessRecord ... %note{matchedAcls}
access_log ... logformat=myAccessRecord ...
Depending on your actual configuration, you may be able to reduce the
amount of logging/wrapping if you annotate groups of matching ACLs
rather than each individual ACL. For example:
acl annotateAfterX annotate_transaction matchedAcls+=(x,y)
http_access deny x y annotateAfterXandY
Needless to say, adding such annotations manually to a non-trivial
configuration is a lot of error-prone work! Automating wrapping,
monitoring cache.log with elevated debugging levels (see debug_options),
or hacking Squid to log the info you need is a better approach in many
(most?) cases.
HTH,
Alex.
More information about the squid-users
mailing list