Many times we find difficulty to understand SQUID access logs and hardly there are a few references available. This article provides complete details about understanding SQUID access logs.
Understanding Squid Access Log
Complete details of SQUID access log
Easy Understanding of Squid Access Log
|The time when the request is completed (socket closed).|
The format is “Unix time” (seconds since Jan 1, 1970) with millisecond
|When the request is completed|
|The elapsed time of the request, in milliseconds. This|
is the time between the accept() and close() of the client socket.
|The IP address of the connecting client, or the FQDN if|
the ‘log_fqdn’ option is enabled in the config file.
|The Action describes how the request was treated|
locally (hit, miss, etc). All the tags are described below.
|The HTTP reply code taken|
from the first line of the HTTP reply header.
For ICP requests this is always “000.” If the reply code was not
given, it will be logged as “555.”
|For TCP requests, the amount of data written to the|
client. For UDP requests, the size of the request. (in bytes)
|The HTTP request method (GET, POST, etc), or ICP_QUERY|
for ICP requests.
|The requested URI.|
|The result of the RFC931/ident lookup of the client|
username. If RFC931/ident lookup is disabled (default: `ident_lookup
off’), it is logged as – .
|A description of how and where the requested object was|
|Hostname of the machine where we got the object.|
|Content-type of the Object (from the HTTP reply header).|
|TCP_HIT||A valid copy of the requested object was in the cache.|
|TCP_MISS||The requested object was not in the cache.|
|TCP_REFRESH_HIT||An expired copy of the requested object was in the cache. Squid|
made an If-Modified-Since request and the response was “Not Modified.”
|TCP_REFRESH_FAIL_HIT||An expired copy of the requested object was in the cache. Squid|
attempted to make an If-Modified-Since request, but it failed. The
old (stale) object was delivered to the client.
|TCP_REFRESH_MISS||An expired copy of the requested object was in the cache. Squid made|
an If-Modified-Since request and received a new, different object.
|TCP_CLIENT_REFRESH||The client issued a request with the “no-cache” pragma. (“reload” – handled as MISS)|
|TCP_IMS_HIT||An If-Modified-Since GET request was received from the client. A|
valid copy of the object was in the cache (fresh).
|TCP_IMS_MISS||An If-Modified-Since GET request was received from the client. The|
requested object was not in the cache (stale).
|TCP_SWAPFAIL||The object was believed to be in the cache, but could not be accessed.|
|TCP_DENIED||Access was denied for this request.|
|“UDP_” refers to requests on the ICP port (3130)|
|UDP_HIT||A valid copy of the requested object was in the cache|
|UDP_HIT_OBJ||Same as UDP_HIT, but the object data was small enough to be sent|
in the UDP reply packet. Saves the following TCP request.
|UDP_MISS||The requested object was not in the cache|
|UDP_DENIED||Access was denied for this request|
|UDP_INVALID||An invalid request was received.|
|UDP_RELOADING||The neighbor cache is reloading its disk store metadata and does not want|
any TCP requests for MISSES until it is finished.
|ERR_READ_TIMEOUT||The remote site or network is unreachable – may be down.|
|ERR_LIFETIME_EXP||The remote site or network may be too slow or down.|
|ERR_NO_CLIENTS_BIG_OBJ||All Clients went away before tranmission completed and the object|
is too big to cache.
|ERR_READ_ERROR||The remote site or network may be down.|
|ERR_CLIENT_ABORT||Client dropped connection before transmission completed. Squid|
fetches the Object according to its settings for `quick_abort’.
|ERR_CONNECT_FAIL||The remote site or server may be down.|
|ERR_INVALID_REQ||Invalid HTTP request|
|ERR_INVALID_URL||Invalid URL syntax|
|ERR_NO_FDS||Out of file descriptors|
|ERR_DNS_FAIL||DNS name lookup failure|
|ERR_NOT_IMPLEMENTED||Protocol Not Supported|
|ERR_CANNOT_FETCH||The requested URL can not currently be retrieved.|
|ERR_NO_RELAY||There is no WAIS relay host defined for this cache.|
|ERR_DISK_IO||The system disk is out of space or failing.|
|ERR_ZERO_SIZE_OBJECT||The remote server closed the connection before sending any data.|
|ERR_FTP_DISABLED||This cache is configured to NOT retrieve FTP objects.|
|ERR_PROXY_DENIED||Access Denied. The user must authenticate himself before accessing this cache.|
|HEAD||Request only HTTP headers of the supplied URL and no document body|
|POST||Transfer data to the supplied URL|
|PUT||Store data under the supplied URL|
|CONNECT||Forward data to SSL-Server:Port|
|ICP_QUERY||Request from a Parent/Neighbor for the supplied URL|
|NONE||Request of an unsupported method|
|NONE||The object requested by a sibling, was not in my cache.|
|DIRECT||The object has been requested from the origin server.|
|SIBLING_HIT||The object was requested from a neighbor cache which replied with a|
UDP_HIT (formerly logged as NEIGHBOR_HIT).
|PARENT_HIT||The object was requested from a parent cache which replied with a|
|DEFAULT_PARENT||The object was requested from a default parent cache appropriate|
for this URL.
|SINGLE_PARENT||The object was requested from the only parent cache appropriate|
for this URL.
|FIRST_UP_PARENT||The object has been requested from the first available parent in your list.|
|NO_PARENT_DIRECT||The object was requested from the origin server because no parent|
caches exist for the URL.
|FIRST_PARENT_MISS||The object has been requested from the parent cache with the|
fastest weighted round trip time.
|ROUNDROBIN_PARENT||No ICP queries were received from any parent caches. This parent|
was chosen because it was marked as ‘default’ in the config
file and it had the lowest round-robin use count.
|CLOSEST_PARENT_MISS||This parent was selected because it included the lowest RTT|
measurement to the origin server. This only appears with ‘query_icmp
on’ set in the config file.
|CLOSEST_DIRECT||The object was fetched directly from the origin server because|
this cache measured a lower RTT than any of the parent caches.
|LOCAL_IP_DIRECT||The object has been requested from the origin server because the|
origin host IP address matched your ‘local_ip’ list.
|FIREWALL_IP_DIRECT||The object has been requested from the origin server because the|
origin host IP address is inside your firewall.
|NO_DIRECT_FAIL||The object could not be requested because of firewall restrictions|
and no parent caches were available.
|SOURCE_FASTEST||The object was requested from the origin server because the|
‘source_ping’ reply arrived first.
|SIBLING_UDP_HIT_OBJ||The object was received in a UDP_HIT_OBJ reply from a neighbor|
cache (formerly logged as UDP_HIT_OBJ).
|PARENT_UDP_HIT_OBJ||The object was received in a UDP_HIT_OBJ reply from a parent|
cache (formerly logged as UDP_HIT_OBJ).
|PASSTHROUGH_PARENT||The neighbor or proxy defined in the config option|
‘passthrough_proxy’ was used.
|SSL_PARENT_MISS||The neighbor or proxy defined in the config option ‘ssl_proxy’ was|