[squid-users] squid v4: logformat log the last denied ACL object

Alex Rousskov rousskov at measurement-factory.com
Mon Apr 15 20:41:25 UTC 2019


On 4/15/19 8:01 AM, David Touzeau wrote:

> Is it possible, sometimes to better understand a bunch of ACLs to log
> the last matches or a set of matched acls objects:

> 192.168.1.235 - - [15/Apr/2019:15:59:30 +0200] "GET
> http://www.msftncsi.com/ncsi.txt HTTP/1.1" 200 211 "-" "curl/7.52.1"
> TCP_MISS:HIER_DIRECT text/plain objects1,objects2

Yes, it is possible to do something like that in modern Squids, but
covering all ACLs in a non-trivial squid.conf would require tedious
manual work or automation. Here is a rough untested recipe:

1. For each named ACL x that you want to access-log, create a wrapper
annotation ACL called matchAndLogX:

   acl x ...
   acl annotateAfterX annotate_transaction matchedAcls+=x
   acl matchAndLogX all-of x annotateAfterX


2. For each named ACL x wrapped in step 1, replace all its uses in old
squid.conf directives with the matchAndLogX ACLs defined in step 1. For
example:

   http_access deny x y

becomes

   http_access deny matchAndLogX matchAndLogY


3. Add matchedAcls annotation to your logformat definition to log
annotations accumulated by the wrapper ACLs defined in step 1:

   logformat myAccessRecord ...  %note{matchedAcls}
   access_log ... logformat=myAccessRecord ...


Depending on your actual configuration, you may be able to reduce the
amount of logging/wrapping if you annotate groups of matching ACLs
rather than each individual ACL. For example:

    acl annotateAfterX annotate_transaction matchedAcls+=(x,y)
    http_access deny x y annotateAfterXandY


Needless to say, adding such annotations manually to a non-trivial
configuration is a lot of error-prone work! Automating wrapping,
monitoring cache.log with elevated debugging levels (see debug_options),
or hacking Squid to log the info you need is a better approach in many
(most?) cases.


HTH,

Alex.


More information about the squid-users mailing list