Understanding Squid Access Log

Understanding Squid Access Log

Many times we find difficulty to understand SQUID access logs and hardly there are a few references available. This article provides complete details about understanding SQUID access logs.


Topic

  • Understanding Squid Access Log
  • Complete details of SQUID access log
  • Easy Understanding of Squid Access Log


Solution


Timestamp

The time when the request is completed (socket closed).
The format is “Unix time” (seconds since Jan 1, 1970) with millisecond
resolution.

Timestamp1

When the request is completed
(Day/Month/CenturyYear:Hour:Minute:Second GMT-Offset)

Elapsed

The elapsed time of the request, in milliseconds. This
is the time between the accept() and close() of the client socket.

Client

The IP address of the connecting client, or the FQDN if
the ‘log_fqdn’ option is enabled in the config file.

Action

The Action describes how the request was treated
locally (hit, miss, etc). All the tags are described below.

Code

The HTTP reply code taken
from the first line of the HTTP reply header.
For ICP requests this is always “000.” If the reply code was not
given, it will be logged as “555.”

Size

For TCP requests, the amount of data written to the
client. For UDP requests, the size of the request. (in bytes)

Method

The HTTP request method (GET, POST, etc), or ICP_QUERY
for ICP requests.

URI

The requested URI.

Ident

The result of the RFC931/ident lookup of the client
username. If RFC931/ident lookup is disabled (default: `ident_lookup
off’), it is logged as – .

Hierarchy

A description of how and where the requested object was
fetched.

From

Hostname of the machine where we got the object.

Content

Content-type of the Object (from the HTTP reply header).

TCP_HIT

A valid copy of the requested object was in the cache.

TCP_MISS

The requested object was not in the cache.

TCP_REFRESH_HIT

An expired copy of the requested object was in the cache. Squid
made an If-Modified-Since request and the response was “Not Modified.”

TCP_REFRESH_FAIL_HIT

An expired copy of the requested object was in the cache. Squid
attempted to make an If-Modified-Since request, but it failed. The
old (stale) object was delivered to the client.

TCP_REFRESH_MISS

An expired copy of the requested object was in the cache. Squid made
an If-Modified-Since request and received a new, different object.

TCP_CLIENT_REFRESH

The client issued a request with the “no-cache” pragma. (“reload” – handled as MISS)

TCP_IMS_HIT

An If-Modified-Since GET request was received from the client. A
valid copy of the object was in the cache (fresh).

TCP_IMS_MISS

An If-Modified-Since GET request was received from the client. The
requested object was not in the cache (stale).

TCP_SWAPFAIL

The object was believed to be in the cache, but could not be accessed.

TCP_DENIED

Access was denied for this request.

“UDP_” refers to requests on the ICP port (3130)

UDP_HIT

A valid copy of the requested object was in the cache

UDP_HIT_OBJ

Same as UDP_HIT, but the object data was small enough to be sent
in the UDP reply packet. Saves the following TCP request.

UDP_MISS

The requested object was not in the cache

UDP_DENIED

Access was denied for this request

UDP_INVALID

An invalid request was received.

UDP_RELOADING

The neighbor cache is reloading its disk store metadata and does not want
any TCP requests for MISSES until it is finished.

Errors

ERR_READ_TIMEOUT

The remote site or network is unreachable – may be down.

ERR_LIFETIME_EXP

The remote site or network may be too slow or down.

ERR_NO_CLIENTS_BIG_OBJ

All Clients went away before tranmission completed and the object
is too big to cache.

ERR_READ_ERROR

The remote site or network may be down.

ERR_CLIENT_ABORT

Client dropped connection before transmission completed. Squid
fetches the Object according to its settings for `quick_abort’.

ERR_CONNECT_FAIL

The remote site or server may be down.

ERR_INVALID_REQ

Invalid HTTP request

ERR_UNSUP_REQ

Unsupported request

ERR_INVALID_URL

Invalid URL syntax

ERR_NO_FDS

Out of file descriptors

ERR_DNS_FAIL

DNS name lookup failure

ERR_NOT_IMPLEMENTED

Protocol Not Supported

ERR_CANNOT_FETCH

The requested URL can not currently be retrieved.

ERR_NO_RELAY

There is no WAIS relay host defined for this cache.

ERR_DISK_IO

The system disk is out of space or failing.

ERR_ZERO_SIZE_OBJECT

The remote server closed the connection before sending any data.

ERR_FTP_DISABLED

This cache is configured to NOT retrieve FTP objects.

ERR_PROXY_DENIED

Access Denied. The user must authenticate himself before accessing this cache.


Methodes

GET

Request URL

HEAD

Request only HTTP headers of the supplied URL and no document body

POST

Transfer data to the supplied URL

PUT

Store data under the supplied URL

CONNECT

Forward data to SSL-Server:Port

ICP_QUERY

Request from a Parent/Neighbor for the supplied URL

NONE

Request of an unsupported method




Hierarchy

NONE

The object requested by a sibling, was not in my cache.

DIRECT

The object has been requested from the origin server.

SIBLING_HIT

The object was requested from a neighbor cache which replied with a
UDP_HIT (formerly logged as NEIGHBOR_HIT).

PARENT_HIT

The object was requested from a parent cache which replied with a
UDP_HIT.

DEFAULT_PARENT

The object was requested from a default parent cache appropriate
for this URL.

SINGLE_PARENT

The object was requested from the only parent cache appropriate
for this URL.

FIRST_UP_PARENT

The object has been requested from the first available parent in your list.

NO_PARENT_DIRECT

The object was requested from the origin server because no parent
caches exist for the URL.

FIRST_PARENT_MISS

The object has been requested from the parent cache with the
fastest weighted round trip time.

ROUNDROBIN_PARENT

No ICP queries were received from any parent caches. This parent
was chosen because it was marked as ‘default’ in the config
file and it had the lowest round-robin use count.

CLOSEST_PARENT_MISS

This parent was selected because it included the lowest RTT
measurement to the origin server. This only appears with ‘query_icmp
on’ set in the config file.

CLOSEST_DIRECT

The object was fetched directly from the origin server because
this cache measured a lower RTT than any of the parent caches.

LOCAL_IP_DIRECT

The object has been requested from the origin server because the
origin host IP address matched your ‘local_ip’ list.

FIREWALL_IP_DIRECT

The object has been requested from the origin server because the
origin host IP address is inside your firewall.

NO_DIRECT_FAIL

The object could not be requested because of firewall restrictions
and no parent caches were available.

SOURCE_FASTEST

The object was requested from the origin server because the
‘source_ping’ reply arrived first.

SIBLING_UDP_HIT_OBJ

The object was received in a UDP_HIT_OBJ reply from a neighbor
cache (formerly logged as UDP_HIT_OBJ).

PARENT_UDP_HIT_OBJ

The object was received in a UDP_HIT_OBJ reply from a parent
cache (formerly logged as UDP_HIT_OBJ).

PASSTHROUGH_PARENT

The neighbor or proxy defined in the config option
‘passthrough_proxy’ was used.

SSL_PARENT_MISS

The neighbor or proxy defined in the config option ‘ssl_proxy’ was
used.



You May Also Like

avatar

About the Author: TekFik

TekFik is a technical blogging site helps techies and engineers to solve their day to day issues and also allows everyone to share knowledge and feedback. Please feel free to contact us at tekfik.rd@gmail.com if there is anything.

Leave a Reply

Your email address will not be published. Required fields are marked *