kk Blog —— 通用基础

%{ %Y-%m-%d %H:%M:%S}tl

logformat kk %{ %Y-%m-%d %H:%M:%S}tl %tr %la %lp %>a %>p %>Hs %<st HTTP/%rv %rm "%ru" "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh/%<a
access_log /var/log/squid/access.log kk

logformat squid    %{ %Y-%m-%d %H:%M:%S}tl %tr %la %lp %>a %>p %>Hs %<st HTTP/%rv %rm "%ru" "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh/%<a
logformat combined %{ %Y-%m-%d %H:%M:%S}tl %tr %la %lp %>a %>p %>Hs %<st HTTP/%rv %rm "%ru" "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh/%<a

squid -k parse
ERROR: logformat squid is already defined. Ignoring.
ERROR: logformat combined is already defined. Ignoring.

logformat log_format %>a %ui %un %ts "%rm %ru HTTP/%rv" %Hs %<st "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh %tr #日志格式
access_log /usr/local/squid2.7/var/logs/access.log log_format

Field name syntax keys:
{} modifier or argument. Also used to specify header names
> request (client) 客户请求
< reply (server) 服务端回应
a address 访问用户ip地址
A address name 访问用户电脑名称
h all headers 浏览器头信息
i ident 
p port 端口
r request line (no query)
t time 访问时间
u user
l local address/port (where request was accepted)

%>a
Client source IP address
%>A
Client FQDN
%>p
Client source port
%<a
Server or peer IP address
%<p
Server or peer port number
%<A
Server IP address or peer name
%la
Local IP address where the request was accepted
%lp
Local port where the request was accepted
%lA
Local port name where the request was accepted
%ts
Date of request, seconds since epoch
%{format}tl
Date of request, strftime format (localtime)
%{format}tg
Date of request, strftime format (gmt)
%tu
Date of request, sub-second component
%tr
Time to serve the request, in milliseconds
%{header}>h
Request header
%{header:element}>h
Named request header field element (list headers)
%{header:separator element}>h
Named request header field element, using "separator" as field separator (it can be any non-alphanumeric single character)
%>h
All request header
%{header}<h
Request headers, as for <..h above
%un
Authenticated user name or dash
%ur
Authenticated user realm or dash
%us
Authenticated user scheme or dash
%ui
Ident user name or dash
%Hs
HTTP status code (200, 404, 407, etc)
%Ht
HTTP status text (Not found, etc)
%Ss
Squid status code (TCP_HIT, TCP_MISS etc)
%Se
Squid error code (ERR_DENIED, ERR_...)
%Sh
Squid hierarchy code (FIRST_UP_PARENT, etc)
%mt
MIME type of the request
%rm
Request method
%ru
Request URL, without the query string
%rq
Request query string, including ?
%rp
Request protocol (i.e. HTTP/1.1)
%ps
Peer selection status (DIRECT, PARENT, CD_PARENT_HIT, etc. including the TIMEDOUT_ variant)
%>sl
Size of request line
%>sh
Size of request headers, including request line
%>sH
Size of request headers, excluding request line
%>sb
Size of request body, raw received bytes
%>sB
Size of request body, excluding transfer encoding
%>st
Total size of request
%<sl
Size of reply status line
%<sh
Size of reply headers, including status line
%<sH
Size of reply headers, excluding status line
%<sb
Size of reply body, raw transmitted bytes
%<sB
Size of reply body, excluding transfer encoding
%<st
Total size of reply
%%
A literal %

占位符的含义：
%>a客户端IP
%>A 客户端全域名(FQDN)
%>p 客户端端口号
%la 本机IP(squid服务器IP)
%lp 本机端口(squid监听端口)
%oa 对外IP
%ts 时间戳(秒)
%tu 时间戳(毫秒)
%tl 本地时间，默认格式 %d/%b/%Y:%H:%M:%S %z
%tg GMT时间，默认格式 %d/%b/%Y:%H:%M:%S %z
%tr 响应时间(毫秒)
%>h 请求头
%<h 回复头
%un user name
%ui user ident
%ul user auth
%us user ssl
%ue user external
%Hs http状态码(200 ,302 etc)
%Ss squid状态码(TCP_HIT,TCP_MISS etc)
%Sh squid堆叠状态码(即cache集群，姐妹或父状态，DEFAULT_PARENT etc)
%mt content type
%rm method
%ru 请求url
%rp 请求url路径不包括主机名
%rv 请求协议版本
%<st 回复大小包括http头
%>st 请求大小包括http头
%st 请求+回复大小包括http头
%sn 日志每行记录一个行号
如果打印请求头或回复头中的某个字段，可以这样:%{字段名}>h %{字段名}<h
如: %{User-agent}>h表示打印请求头中的ua字段
这样我们可以自定义几种日志格式：
logformat  log1 %ts.%03tu %6tr %>a %Ss/%03Hs %<st %rm %ru %un %Sh/%<A %mt
logformat  log2 %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %Hs %<st "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh
然后在access_log配置用上这几种自定义格式
access_log  /usr/local/squid/var/logs/log1/access.log  log1
access_log  /usr/local/squid/var/logs/log2/access.log  log2
这样就会同时记录两种不同的日志格式了。