.. Licensed to the Apache Software Foundation (ASF) under one
or more contributor license agreements. See the NOTICE file
distributed with this work for additional information
regarding copyright ownership. The ASF licenses this file
to you under the Apache License, Version 2.0 (the
"License"); you may not use this file except in compliance
with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing,
software distributed under the License is distributed on an
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
KIND, either express or implied. See the License for the
specific language governing permissions and limitations
under the License.
===============
logs_xml.config
===============
.. configfile:: logs_xml.config
The :file:`logs_xml.config` file defines the custom log file formats,
filters, and processing options. The format of this file is modeled
after XML, the Extensible Markup Language.
Format
======
The :file:`logs_xml.config` file contains the specifications below:
- ``LogFormat`` specifies the fields to be gathered from each protocol
event access.
- ``LogFilter`` specifies the filters that are used to include or
exclude certain entries being logged based on the value of a field
within that entry.
- ``LogObject`` specifies an object that contains a particular format,
a local filename, filters, and collation servers.
The :file:`logs_xml.config` file ignores extra white space, blank lines, and
all comments.
.. _LogFormat:
LogFormat
=========
The following list shows ``LogFormat`` specifications.
.. _LogFormat-name:
````
Required
Valid format names include any name except ``squid``, ``common``,
``extended``, or ``extended2``, which are pre-defined formats. There
is no default for this tag.
.. _LogFormat-Format:
````
Required
A valid format specification is a printf-style string describing
each log entry when formatted for ASCII output.
The printf-style could accept Oct/Hex escape representation:
- ``\abc`` is Oct escape sequence, a,b,c should be one of [0-9], and
(a*8^2 + b*8 + c) should be greater than 0 and less than 255.
- ``\xab`` is Hex escape sequence, a,b should be one of [0-9, a-f, A-F],
and (a*16 + b) should be greater than 0 and less than 255.
Use ``%<`` ``field`` ``>`` as a placeholder for valid field names. For more
information, refer to :ref:`custom-logging-fields`.
The specified field can be one of the following types:
Simple. For example: ``%``
A field within a container, such as an HTTP header or a statistic.
Fields of this type have the syntax: ::
%<{ field } container>
Aggregates, such as ``COUNT``, ``SUM``, ``AVG``, ``FIRST``,
``LAST``. Fields of this type have the syntax: ``%``
.. note::
You cannot create a format specification that contains both aggregate operators and regular fields.
````
Optional
Use this tag when the format contains aggregate operators. The value
"``aggregate_interval_secs``\" represents the number of seconds
between individual aggregate values being produced.
The valid set of aggregate operators are:
- COUNT
- SUM
- AVG
- FIRST
- LAST
.. _LogFilters:
LogFilters
==========
The following list shows the ``LogFilter`` specifications.
````
Required
All filters must be uniquely named.
````
Required
This field contains the following elements:
``valid_log_field`` - the field that will be compared against
the given value. For more information, refer to :ref:`logging-format-cross-reference`.
``valid_operator_field`` - any one of the following: ``MATCH``,
``CASE_INSENSITIVE_MATCH``, ``CONTAIN``,
``CASE_INSENSITIVE_CONTAIN``.
- ``MATCH`` is true if the field and value are identical
(case-sensitive).
- ``CASE_INSENSITIVE_MATCH`` is similar to ``MATCH``, except that
it is case-insensitive.
- ``CONTAIN`` is true if the field contains the value (the value is
a substring of the field).
- ``CASE_INSENSITIVE_CONTAIN`` is a case-insensitive version of
``CONTAIN``.
``valid_comparison_value`` - any string or integer matching the
field type. For integer values, all of the operators are equivalent
and mean that the field must be equal to the specified value.
For IP address fields, this can be a list of IP addresses and include ranges. A range is an IP address, followed by a
dash '``-``', and then another IP address of the same family. For instance, the 10/8 network can be represented by
``10.0.0.0-10.255.255.255``. Currently network specifiers are not supported.
.. note::
There are no negative comparison operators. If you want to
specify a negative condition, then use the ``Action`` field to
``REJECT`` the record.
````
Required: ``ACCEPT`` or ``REJECT`` or ``WIPE_FIELD_VALUE``.
ACCEPT or REJECT instructs Traffic Server to either accept or reject records
that satisfy the filter condition. WIPE_FIELD_VALUE wipes out
the values of the query params in the url fields specified in the Condition.
NOTES: 1. WIPE_FIELD_VALUE action is only applied to the parameters in the query part.
2. Multiple parameters can be listed in a single WIPE_FIELD_VALUE filter
3. If the same parameter appears more than once in the query part , only
the value of the first occurance is wiped
.. _LogObject:
LogObject
=========
The following list shows the ``LogObject`` specifications.
````
Required
Valid format names include the predefined logging formats:
``squid``, ``common``, ``extended``, and ``extended2``, as well as
any previously-defined custom log formats. There is no default for
this tag.
````
Required
The filename to which the given log file is written on the local
file system or on a remote collation server. No local log file will
be created if you fail to specify this tag. All filenames are
relative to the default logging directory.
If the name does not contain an extension (for example, ``squid``),
then the extension ``.log`` is automatically appended to it for
ASCII logs and ``.blog`` for binary logs (refer to :ref:`Mode =
"valid_logging_mode" `).
If you do not want an extension to be added, then end the filename
with a single (.) dot (for example: ``squid.`` ).
.. _LogObject-Mode:
````
Optional
Valid logging modes include ``ascii`` , ``binary`` , and
``ascii_pipe`` . The default is ``ascii`` .
- Use ``ascii`` to create event log files in human-readable form
(plain ASCII).
- Use ``binary`` to create event log files in binary format. Binary
log files generate lower system overhead and occupy less space on
the disk (depending on the information being logged). You must
use the :program:`traffic_logcat` utility to translate binary log files to ASCII
format before you can read them.
- Use ``ascii_pipe`` to write log entries to a UNIX named pipe (a
buffer in memory). Other processes can then read the data using
standard I/O functions. The advantage of using this option is
that Traffic Server does not have to write to disk, which frees
disk space and bandwidth for other tasks. In addition, writing to
a pipe does not stop when logging space is exhausted because the
pipe does not use disk space.
If you are using a collation server, then the log is written to a
pipe on the collation server. A local pipe is created even before a
transaction is processed, so you can see the pipe right after
Traffic Server starts. Pipes on a collation server, however, *are*
created when Traffic Server starts.
````
Optional
A comma-separated list of names of any previously-defined log
filters. If more than one filter is specified, then all filters must
accept a record for the record to be logged.
````
Optional
A comma-separated list of the protocols this object should log.
Valid protocol names for this release are ``HTTP`` (FTP is
deprecated).
````
Optional
A comma-separated list of valid hostnames.This tag indicates that
only entries from the named servers will be included in the file.
.. _logs-xml-logobject-collationhost:
````
Optional
A comma-separated list of collation servers (with pipe delimited
failover servers) to which all log entries (for this object) are
forwarded. Collation servers can be specified by name or IP address.
Specify the collation port with a colon after the name. For example,
in ``host1:5000|failhostA:5000|failhostB:6000, host2:6000`` logs
would be sent to host1 and host2, with failhostA and failhostB
acting as failover hosts for host1. When host1 disconnects,
logs would be sent to failhostA. If failhostA disconnects, log
entries would be sent to failhostB until host1 or failhostA comes
back. Logs would also be sent to host2.
````
Optional
The header text you want the log files to contain. The header text
appears at the beginning of the log file, just before the first
record.
````
Optional
Enables or disables log file rolling for the ``LogObject``. This
setting overrides the value for the
:ts:cv:`proxy.config.log.rolling_enabled` variable in the
:file:`records.config` file. Set *truth value* to one of the
following values:
- ``0`` to disable rolling for this particular ``LogObject``.
- ``1`` to roll log files at specific intervals during the day (you
specify time intervals with the ``RollingIntervalSec`` and
``RollingOffsetHr`` fields).
- ``2`` to roll log files when they reach a certain size (you
specify the size with the ``RollingSizeMb`` field).
- ``3`` to roll log files at specific intervals during the day or
when they reach a certain size (whichever occurs first).
- ``4`` to roll log files at specific intervals during the day when
log files reach a specific size (at a specified time if the file
is of the specified size).
.. XXX this is confusing ^ really, why is it a "truth value" but then it's 5 different integer values that means varias strange things?
````
Optional
The seconds between log file rolling for the ``LogObject``; enables
you to specify different rolling intervals for different
``LogObjects``.
This setting overrides the value for
:ts:cv:`proxy.config.log.rolling_interval_sec` in the
:file:`records.config` file.
````
Optional
Specifies an hour (from 0 to 23) at which rolling is guaranteed to
align. Rolling might start before then, but a rolled file will be
produced only at that time. The impact of this setting is only
noticeable if the rolling interval is larger than one hour. This
setting overrides the configuration setting for
:ts:cv:`proxy.config.log.rolling_offset_hr` in the :file:`records.config`
file.
````
Optional
The size at which log files are rolled.
Examples
========
The following is an example of a ``LogFormat`` specification that
collects information using three common fields: ::
: % : %"/>
The following is an example of a ``LogFormat`` specification that
uses aggregate operators: ::
: % : %"/>
The following is an example of a ``LogFilter`` that will cause only
``REFRESH_HIT`` entries to be logged: ::
MATCH REFRESH_HIT"/>
.. note::
When specifying the field in the filter condition, you can
omit the ``%<>``. This means that the filter below is equivalent to the
example directly above: ::
The following is an example of a ``LogFilter`` that will cause the value of
passwd field be wiped in cquc
The following is an example of a ``LogObject`` specification that
creates a local log file for the minimal format defined earlier. The log
filename will be ``minimal.log`` because this is an ASCII log file (the
default).::
The following is an example of a ``LogObject`` specification that
includes only HTTP requests served by hosts in the domain
``company.com`` or by the specific server ``server.somewhere.com``. Log
entries are sent to port 4000 of the collation host ``logs.company.com``
and to port 5000 of the collation host ``209.131.52.129.`` ::
.. _WELF:
WELF
====
Traffic Server supports WELF (WebTrends Enhanced Log Format) so you can
analyze Traffic Server log files with WebTrends reporting tools. A
predefined ```` that is compatible with WELF is provided in
the :file:`logs_xml.config` file (shown below). To create a WELF format log
file, create a ```` that uses this predefined format. ::
%\" fw=% pri=6
proto=% duration=% sent=% rcvd=%
src=% dst=% dstname=% user=% op=%
arg=\"%\" result=% ref=\"%<{Referer}cqh>\"
agent=\"%<{user-agent}cqh>\" cache=%"/>