version:squid-3.3.11
Usage: logformat <name> <format specification> Defines an access log format. The <format specification> is a string with embedded % format codes % format codes all follow the same basic structure where all but the formatcode is optional. Output strings are automatically escaped as required according to their context and the output format modifiers are usually not needed, but can be specified if an explicit output format is desired. % ["|[|'|#] [-] [[0]width] [{argument}] formatcode " output in quoted string format [ output in squid text log format as used by log_mime_hdrs # output in URL quoted format ' output as-is - left aligned width minimum and/or maximum field width: [width_min][.width_max] When minimum starts with 0, the field is zero-padded. String values exceeding maximum width are truncated. {arg} argument such as header name etc Format codes: % a literal % character sn Unique sequence number per log line entry err_code The ID of an error response served by Squid or a similar internal error identifier. err_detail Additional err_code-dependent error information. Connection related format codes: >a Client source IP address >A Client FQDN >p Client source port >eui Client source EUI (MAC address, EUI-48 or EUI-64 identifier) >la Local IP address the client connected to >lp Local port number the client connected to la Local listening IP address the client connection was connected to. lp Local listening port number the client connection was connected to. <a Server IP address of the last server or peer connection <A Server FQDN or peer name <p Server port number of the last server or peer connection <la Local IP address of the last server or peer connection <lp Local port number of the last server or peer connection Time related format codes: ts Seconds since epoch tu subsecond time (milliseconds) tl Local time. Optional strftime format argument default %d/%b/%Y:%H:%M:%S %z tg GMT time. Optional strftime format argument default %d/%b/%Y:%H:%M:%S %z tr Response time (milliseconds) dt Total time spent making DNS lookups (milliseconds) Access Control related format codes: et Tag returned by external acl ea Log string returned by external acl un User name (any available) ul User name from authentication ue User name from external acl helper ui User name from ident us User name from SSL HTTP related format codes: [http::]>h Original received request header. Usually differs from the request header sent by Squid, although most fields are often preserved. Accepts optional header field name/value filter argument using name[:[separator]element] format. [http::]>ha Received request header after adaptation and redirection (pre-cache REQMOD vectoring point). Usually differs from the request header sent by Squid, although most fields are often preserved. Optional header name argument as for >h [http::]<h Reply header. Optional header name argument as for >h [http::]>Hs HTTP status code sent to the client [http::]<Hs HTTP status code received from the next hop [http::]<bs Number of HTTP-equivalent message body bytes received from the next hop, excluding chunked transfer encoding and control messages. Generated FTP/Gopher listings are treated as received bodies. [http::]mt MIME content type [http::]rm Request method (GET/POST etc) [http::]>rm Request method from client [http::]<rm Request method sent to server or peer [http::]ru Request URL from client (historic, filtered for logging) [http::]>ru Request URL from client [http::]<ru Request URL sent to server or peer [http::]rp Request URL-Path excluding hostname [http::]>rp Request URL-Path excluding hostname from client [http::]<rp Request URL-Path excluding hostname sento to server or peer [http::]rv Request protocol version [http::]>rv Request protocol version from client [http::]<rv Request protocol version sent to server or peer [http::]<st Sent reply size including HTTP headers [http::]>st Received request size including HTTP headers. In the case of chunked requests the chunked encoding metadata are not included [http::]>sh Received HTTP request headers size [http::]<sh Sent HTTP reply headers size [http::]st Request+Reply size including HTTP headers [http::]<sH Reply high offset sent [http::]<sS Upstream object size [http::]<pt Peer response time in milliseconds. The timer starts when the last request byte is sent to the next hop and stops when the last response byte is received. [http::]<tt Total server-side time in milliseconds. The timer starts with the first connect request (or write I/O) sent to the first selected peer. The timer stops with the last I/O with the last peer. Squid handling related format codes: Ss Squid request status (TCP_MISS etc) Sh Squid hierarchy status (DEFAULT_PARENT etc) SSL-related format codes: ssl::bump_mode SslBump decision for the transaction: For CONNECT requests that initiated bumping of a connection and for any request received on an already bumped connection, Squid logs the corresponding SslBump mode ("server-first" or "client-first"). See the ssl_bump option for more information about these modes. A "none" token is logged for requests that triggered "ssl_bump" ACL evaluation matching either a "none" rule or no rules at all. In all other cases, a single dash ("-") is logged. If ICAP is enabled, the following code becomes available (as well as ICAP log codes documented with the icap_log option): icap::tt Total ICAP processing time for the HTTP transaction. The timer ticks when ICAP ACLs are checked and when ICAP transaction is in progress. If adaptation is enabled the following three codes become available: adapt::<last_h The header of the last ICAP response or meta-information from the last eCAP transaction related to the HTTP transaction. Like <h, accepts an optional header name argument. adapt::sum_trs Summed adaptation transaction response times recorded as a comma-separated list in the order of transaction start time. Each time value is recorded as an integer number, representing response time of one or more adaptation (ICAP or eCAP) transaction in milliseconds. When a failed transaction is being retried or repeated, its time is not logged individually but added to the replacement (next) transaction. See also: adapt::all_trs. adapt::all_trs All adaptation transaction response times. Same as adaptation_strs but response times of individual transactions are never added together. Instead, all transaction response times are recorded individually. You can prefix adapt::*_trs format codes with adaptation service name in curly braces to record response time(s) specific to that service. For example: %{my_service}adapt::sum_trs If SSL is enabled, the following formating codes become available: %ssl::>cert_subject The Subject field of the received client SSL certificate or a dash ('-') if Squid has received an invalid/malformed certificate or no certificate at all. Consider encoding the logged value because Subject often has spaces. %ssl::>cert_issuer The Issuer field of the received client SSL certificate or a dash ('-') if Squid has received an invalid/malformed certificate or no certificate at all. Consider encoding the logged value because Issuer often has spaces. The default formats available (which do not need re-defining) are: logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %[un %Sh/%<a %mt logformat common %>a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st %Ss:%Sh logformat combined %>a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh logformat referrer %ts.%03tu %>a %{Referer}>h %ru logformat useragent %>a [%tl] "%{User-Agent}>h" NOTE: When the log_mime_hdrs directive is set to ON. The squid, common and combined formats have a safely encoded copy of the mime headers appended to each line within a pair of brackets. NOTE: The common and combined formats are not quite true to the Apache definition. The logs from Squid contain an extra status and hierarchy code appended.