Configuration Examples

This section provides examples for a wide range of logging scenarios. While not exhaustive of all possibilities (Traffic Server logging is quite flexible), these entries should hopefully get most administrators headed onto the right path.

Unless otherwise noted, the example configurations here are to be applied in logging.yaml.

Online Event Log Builder

If you need any assistance building your event log, you can try out our online log builder. This is a work in progress, so any comments, critique or suggestions are most welcome.

Emulating Other HTTP Server Formats

Netscape Common

The following figure shows a sample log entry in a Netscape Common log file.

Sample Netscape Common log entry

The numbered sections correspond to the following log fields in Traffic Server:

No.FieldDescription
1chiThe IP address of the client’s host machine.
2This hyphen (-) is always present in Netscape log entries.
3caunThe authenticated client username. A hyphen (-) means no authentication was required.
4cqtnThe date and time of the client request, enclosed in brackets.
5cqtxThe request line, enclosed in quotes.
6psscThe proxy response status code (HTTP reply code).
7psclThe length of the Traffic Server response to the client in bytes.

To recreate this as a log format in logging.yaml you would define the following format object:

  1. formats:
  2. - name: common
  3. format: '%<chi> - %<caun> [%<cqtn>] "%<cqtx>" %<pssc> %<pscl>'

Netscape Extended

The following figure shows a sample log entry in a Netscape Extended log file.

Sample Netscape Extended log entry

In addition to fields 1-7 from the Netscape Common log format, the Extended format adds the following fields:

No.FieldDescription
8ssscThe origin server response status code.
9sshlThe server response transfer length; the body length in the origin server response to Traffic Server, in bytes.
10cqclThe client request transfer length; the body length in the client request to Traffic Server, in bytes.
11pqclThe proxy request transfer length; the body length in the Traffic Server request to the origin server.
12cqhlThe client request header length; the header length in the client request to Traffic Server.
13pshlThe proxy response header length; the header length in the Traffic Server response to the client.
14pqhlThe proxy request header length; the header length in Traffic Server request to the origin server.
15sshlThe server response header length; the header length in the origin server response to Traffic Server.
16ttsThe time Traffic Server spent processing the client request; the number of seconds between the time that the client established the connection with Traffic Server and the time that Traffic Server sent the last byte of the response back to the client.

To recreate this as a log format in logging.yaml you would define the following format object:

  1. formats:
  2. - name: extended
  3. format: '%<chi> - %<caun> [%<cqtn>] "%<cqtx>" %<pssc> %<pscl> %<sssc> %<sscl> %<cqcl> %<pqcl> %<cqhl> %<pshl> %<pqhl> %<sshl> %<tts>'

Netscape Extended-2

The following figure shows a sample log entry in a Netscape Extended2 log file.

Sample Netscape Extended-2 log entry

In addition to fields 1-16 from the Netscape Common and Netscape Extended log formats above, the Extended-2 format adds the following fields:

No.FieldDescription
17phrThe proxy hierarchy route; the route Traffic Server used to retrieve the object.
18cfscThe client finish status code: FIN if the client request completed successfully or INTR if the client request was interrupted.
19pfscThe proxy finish status code: FIN if the Traffic Server request to the origin server completed successfully or INTR if the request was interrupted.
20crcThe cache result code; how the Traffic Server cache responded to the request: HIT, MISS, and so on. Cache result codes are listed in Cache Result Codes.

To recreate this as a log format in logging.yaml you would define the following format object:

  1. formats:
  2. - name: extended2
  3. format: '%<chi> - %<caun> [%<cqtn>] "%<cqtx>" %<pssc> %<pscl> %<sssc> %<sscl> %<cqcl> %<pqcl> %<cqhl> %<pshl> %<pqhl> %<sshl> %<tts> %<phr> %<cfsc> %<pfsc> %<crc>'

Squid

The following figure shows a sample log entry in a Squid log file.

Sample Squid log entry

The numbered sections correspond to the following log fields in Traffic Server:

No.FieldDescription
1cqtqThe client request timestamp in Squid format. The time of the client request in seconds since January 1, 1970 UTC (with millisecond resolution).
2ttmsThe time Traffic Server spent processing the client request. The number of milliseconds between the time the client established the connection with Traffic Server and the time Traffic Server sent the last byte of the response back to the client.
3chiThe IP address of the client’s host machine.
4crc/psscThe cache result code; how the cache responded to the request: HIT, MISS, and so on. Cache result codes are described in Logging Cache Results. The proxy response status code (HTTP response status code from Traffic Server to client).
5psqlThe length of the Traffic Server response to the client in bytes, including headers and content.
6cqhmThe client request method: GET, POST, and so on.
7caucThe client request canonical URL; blanks and other characters that might not be parsed by log analysis tools are replaced by escape sequences. The escape sequence is a percentage sign followed by the ASCII code number of the replaced character in hex.
8caunThe username of the authenticated client. A hyphen (-) means that no authentication was required.
9phr/shnThe proxy hierarchy route. The route Traffic Server used to retrieve the object.
10psctThe proxy response content type. The object content type taken from the Traffic Server response header.

To recreate this as a log format in logging.yaml you would define the following format object:

  1. formats:
  2. - name: squid
  3. format: '%<cqtq> %<ttms> %<chi> %<crc>/%<pssc> %<psql> %<cqhm> %<cquc> %<caun> %<phr>/%<shn> %<psct>'

Hourly Rotated Squid Proxy Logs

The following example demonstrates the creation of a Squid-compatible log format, which is then applied to a log object containing an hourly rotation policy.

  1. formats:
  2. - name: squid
  3. format: '%<cqtq> %<ttms> %<chi> %<crc>/%<pssc> %<psql> %<cqhm> %<cquc> %<caun> %<phr>/%<shn> %<psct>'
  4. logs:
  5. - mode: ascii
  6. format: squid
  7. filename: squid
  8. rolling_enabled: time
  9. rolling_interval_sec: 3600
  10. rolling_offset_hr: 0

Summarizing Number of Requests and Total Bytes Sent Every 10 Seconds

The following example format generates one entry every 10 seconds. Each entry contains the timestamp of the last entry of the interval, a count of the number of entries seen within that 10-second interval, and the sum of all bytes sent to clients:

  1. formats:
  2. - name: mysummary
  3. format: '%<LAST(cqts)> : %<COUNT(*)> : %<SUM(psql)>'
  4. interval: 10

Dual Output to Compact Binary Logs and ASCII Pipes

This example demonstrates logging the same event data to multiple locations, in a hypothetical scenario where we may wish to keep a compact form of our logs available for archival purposes, while performing live log analysis on a stream of the event data.

  1. ourformat = format {
  2. Format = '%<chi> - %<caun> [%<cqtn>] "%<cqtx>" %<pssc> %<pscl>'
  3. }
  4. log.binary {
  5. Format = ourformat,
  6. Filename = 'archived_events'
  7. }
  8. log.pipe {
  9. Format = ourformat,
  10. Filename = 'streaming_log'
  11. }

Filtering Events to ASCII Pipe for Alerting

This example illustrates a situation in which our Traffic Server cache contains canary objects, which upon their access we want an external alerting system to fire off all sorts of alarms. To accomplish this, we demonstrate the use of a filter object that matches events against these particular canaries and emits log data for them to a UNIX pipe that the alerting software can constantly read from.

  1. formats:
  2. - name: canaryformat
  3. format: '%<chi> - %<caun> [%<cqtn>] "%<cqtx>" %<pssc> %<pscl>'
  4. filters:
  5. - name: canaryfilter
  6. accept: cqup MATCH "/nightmare/scenario/dont/touch"
  7. logs:
  8. - mode: pipe
  9. format: canaryformat
  10. filters:
  11. - canaryfilter
  12. filename: alerting_canaries

Summarizing Origin Responses by Hour

This example demonstrates a simple use of aggregation operators to produce an hourly event line reporting on the total number of requests made to origin servers (where we assume that any cache result code without the string HIT in it signals origin access), as well as the average time it took to fulfill the request to clients during that hour.

  1. formats:
  2. - name: originrepformat
  3. format: '%<FIRST(cqtq)> %<COUNT(*)> %<AVERAGE(ttms)>'
  4. interval: 3600
  5. filters:
  6. - name: originfilter
  7. reject: crc CONTAINS "HIT"
  8. logs:
  9. - mode: ascii
  10. format: originrepformat
  11. filters:
  12. - originfilter
  13. filename: origin_access_summary