KB N°2598 : UNDERSTANDING THE ACCESS.LOG FILE
The access.log file generated by the squid proxy contains a list of all server access events. This makes it a very useful tool.
What does the access.log file do?
The access.log file keeps a log of all server access events, i.e. all HTTP requests received, and the way in which they are processed. The format of this file can be configured using the access_log option for the squid3.conf file.
Example of an access.log entry
1265939281.764 1 188.8.131.52 TCP_DENIED/403 734 POST http://lbcore1.metacafe.com/test/SystemInfoManager.php – NONE/- text/html
|1265939281.764||Time in Unix format (Fri, 12 Feb 2010 01:48:01 GMT)|
Time required for server to process request (in ms). This processing time will vary according to the mode used (connected or not connected).
For TCP: It is calculated according to the time the server receives the request and the time it responds to the client.
For UDP: It is calculated according to the time the server triggers the response to the client and the time the response actually occurs.
|184.108.40.206||Client IP address. This data can be hidden to ensure logs are anonymous.|
|TCP_DENIED/403||Code resulting from the transaction. This field consists of two entries separated by a slash: the Squid status code and the HTTP code corresponding to the response from the original server. Most of these codes are explained in further detail below.|
|734||The size of the data delivered to the client.|
|POST||The method used to retrieve the resource (GET, HEAD, etc.).|
|http://lbcore1.metacafe.com/test/SystemInfoManager.php||The URL of the requested resource.|
|–||User data (deactivated by default).|
|NONE/-||Code that indicates how the request was processed. This code may be followed by the IP address to which the request was redirected.|
|text/html||The content type generated by the HTTP header of the response (ICP exchanges do not include this data).|
Main status codes returned by the proxy
|TCP_HIT||A valid copy of the requested object was found in the cache.|
|TCP_MISS||The requested object was not found in the cache.|
|TCP_ REFRESH_HIT||The requested object was found in the cache but is considered invalid. The IMS request returned a 304-Not Modified code and the cached resource was returned.|
|TCP_REFRESH_FAIL_HIT||The requested object was found in the cache but is considered invalid. The IMS request failed and the invalid content was delivered to the client.|
|TCP_REFRESH_MISS||The requested object was found in the cache but is considered invalid. The IMS request returned the new object.|
|TCP_DENIED||Access was refused for this request.|
|UDP_HIT||A valid copy of the requested object was found in the cache.|
|UDP_MISS||The requested object was not found in the cache.|
|UDP_DENIED||Access was refused for this request.|
|UDP_INVALID||An invalid request was received.|
Main HTTP codes used
|200||OK||Request processed successfully.|
|204||Created||Request processed successfully and document created.|
|301||Moved Permanently||Document has been permanently moved.|
|302||Moved Temporarily||Document has been temporarily moved.|
|304||Not Modified||Document has not been modified since the last request.|
|400||Bad request||Request syntax is incorrect.|
|401||Unauthorized||Authentication required in order to access resource.|
|403||Forbidden||The server understands the request, but refuses to process it. Unlike a 401 error, authentication will not make any difference. For servers requiring authentication, this generally means that authentication has been accepted but that the corresponding access rights do not allow the client to access the resource.|
|404||Not Found||Page not found.|
|407||Proxy Authentification Required||Access to resource authorised via proxy identification.|
|502||Bad Gateway or Proxy Error||Bad response sent to an intermediate server by another server.|
|503||Service Unavailable||Service is temporarily unavailable or undergoing maintenance.|