Saturday, January 14, 2012

Cisco Ironport Squid Log Format Broken Down

One of the most interesting things about proxy log files that the syntax is a cryptic.   Some companies have internally purchased off-the-self packages so they can be used to generate quick and meaningful data.   However, I always found it useful to know these log files mean.  So without much do here is a reference that may be helpful to you.  I have color coded so it's easier to follow:


1215535247.487 123 172.20.11.222 TCP_MISS/200 14148 GET HTTP://www.cisco.com/
DIRECT/www.cisco.com text/html

1215535247.487 = %t Time stamp in Unix time (You can convert this by going to the following link (http://tinyurl.com/72sbp3o)


123 = %e elapsed time

172.20.11.222 = %a Client IP address
 
TCP_MISS = %w Transactional result code
  • NONE – Neither a hit nor a miss, indicates an error in the transaction
  • TCP_MEM_HIT – Object was cached in memory
  • TCP_DENIED – Access Denied
  • TCP_HIT - A valid copy of the requested object was in the cache.
  • TCP_MISS - The requested object was not in the cache.
  • TCP_REFRESH_HIT - An expired copy of the requested object was in the cache.
  • Squid made an If-Modified-Since request and the response was "Not Modified."
  • TCP_REFRESH_FAIL_HIT An expired copy of the requested object was in the
  • cache. Squid attempted to make an If-Modified-Since request, but it failed.
  • The old (stale) object was delivered to the client.
  • TCP_REFRESH_MISS - An expired copy of the requested object was in the cache.
  • Squid made an If-Modified-Since request and received a new, different
  • object. TCP_CLIENT_REFRESH The client issued a request with the "no-cache"
  • pragma. ("reload" - handled as MISS)
  • TCP_IMS_HIT - An If-Modified-Since GET request was received from the client.
  • A valid copy of the object was in the cache (fresh).
  • TCP_IMS_MISS - An If-Modified-Since GET request was received from the
  • client. The requested object was not in the cache (stale).
  • TCP_SWAPFAIL - The object was believed to be in the cache, but could not be
  • accessed. TCP_DENIED Access was denied for this request.

200 = %h HTTP Response Code
  • 200 - OK
  • 204 - No Content
  • 206 - Partial content
  • 301 - Moved Permanenatly
  • 302 - Found (over there)
  • 304 - Not modified
  • 305 - Use Proxy
  • 307 - Temporary Redirect
  • 401 - Unauthorized
  • 403 - Forbidden
  • 404 - Not Found
  • 405 - Method not allowed
  • 407 - Proxy Authorization Required
  • 503 - Service Unavailable
  • 504 - Gateway timeout

14148 = %s Total bytes transferred

GET HTTP://www.cisco.com/ = %r Request method URI
 
DIRECT/www.cisco.com = %H – Cache hierchy retrieval
  • NONE – No request made
  • DIRECT – request went directly to server
  • DEFAULT_PARENT – Single upstream proxy or failover
  • LEASTBUSY_PARENT – Fewest Connections
  • HASHBASED_PARENT – Hash based load balancing
  • LEASTRECENT_PARENT – Least recently used
  • ROUNDROBIN_PARENT – Round robin load balancing

text/html = %c – MIME content type/subtype
  • text/plain – simple text
Posted by at 10:54 PM
Labels: , , , , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)