squid-cache.org

	Usage:

	logformat <name> <format specification>

	Defines an access log format.

	The <format specification> is a string with embedded % format codes

	% format codes all follow the same basic structure where all but
	the formatcode is optional. Output strings are automatically escaped
	as required according to their context and the output format
	modifiers are usually not needed, but can be specified if an explicit
	output format is desired.

		% ["|[|'|#] [-] [[0]width] [{argument}] formatcode

		"	output in quoted string format
		[	output in squid text log format as used by log_mime_hdrs
		#	output in URL quoted format
		'	output as-is

		-	left aligned

		width	minimum and/or maximum field width:
			    [width_min][.width_max]
			When minimum starts with 0, the field is zero-padded.
			String values exceeding maximum width are truncated.

		{arg}	argument such as header name etc

	Format codes:

		%	a literal % character
		sn	Unique sequence number per log line entry
		err_code    The ID of an error response served by Squid or
				a similar internal error identifier.
		err_detail  Additional err_code-dependent error information.

	Connection related format codes:

		>a	Client source IP address
		>A	Client FQDN
		>p	Client source port
		>eui	Client source EUI (MAC address, EUI-48 or EUI-64 identifier)
		>la	Local IP address the client connected to
		>lp	Local port number the client connected to

		la	Local listening IP address the client connection was connected to.
		lp	Local listening port number the client connection was connected to.

		<a	Server IP address of the last server or peer connection
		<A	Server FQDN or peer name
		<p	Server port number of the last server or peer connection
		<la	Local IP address of the last server or peer connection
		<lp     Local port number of the last server or peer connection

	Time related format codes:

		ts	Seconds since epoch
		tu	subsecond time (milliseconds)
		tl	Local time. Optional strftime format argument
				default %d/%b/%Y:%H:%M:%S %z
		tg	GMT time. Optional strftime format argument
				default %d/%b/%Y:%H:%M:%S %z
		tr	Response time (milliseconds)
		dt	Total time spent making DNS lookups (milliseconds)

	Access Control related format codes:

		et	Tag returned by external acl
		ea	Log string returned by external acl
		un	User name (any available)
		ul	User name from authentication
		ue	User name from external acl helper
		ui	User name from ident
		us	User name from SSL

	HTTP related format codes:

		[http::]>h	Original request header. Optional header name argument
				on the format header[:[separator]element]
		[http::]>ha	The HTTP request headers after adaptation and redirection. 
				Optional header name argument as for >h
		[http::]<h	Reply header. Optional header name argument
				as for >h
		[http::]>Hs	HTTP status code sent to the client
		[http::]<Hs	HTTP status code received from the next hop
		[http::]<bs	Number of HTTP-equivalent message body bytes 
				received from the next hop, excluding chunked
				transfer encoding and control messages.
				Generated FTP/Gopher listings are treated as
				received bodies.
		[http::]mt	MIME content type
		[http::]rm	Request method (GET/POST etc)
		[http::]>rm	Request method from client
		[http::]<rm	Request method sent to server or peer
		[http::]ru	Request URL from client (historic, filtered for logging)
		[http::]>ru	Request URL from client
		[http::]<ru	Request URL sent to server or peer
		[http::]rp	Request URL-Path excluding hostname
		[http::]>rp	Request URL-Path excluding hostname from client
		[http::]<rp	Request URL-Path excluding hostname sento to server or peer
		[http::]rv	Request protocol version
		[http::]>rv	Request protocol version from client
		[http::]<rv	Request protocol version sent to server or peer
		[http::]<st	Sent reply size including HTTP headers
		[http::]>st	Received request size including HTTP headers. In the
				case of chunked requests the chunked encoding metadata
				are not included
		[http::]>sh	Received HTTP request headers size
		[http::]<sh	Sent HTTP reply headers size
		[http::]st	Request+Reply size including HTTP headers
		[http::]<sH	Reply high offset sent
		[http::]<sS	Upstream object size
		[http::]<pt	Peer response time in milliseconds. The timer starts
				when the last request byte is sent to the next hop
				and stops when the last response byte is received.
		[http::]<tt	Total server-side time in milliseconds. The timer 
				starts with the first connect request (or write I/O)
				sent to the first selected peer. The timer stops
				with the last I/O with the last peer.

	Squid handling related format codes:

		Ss	Squid request status (TCP_MISS etc)
		Sh	Squid hierarchy status (DEFAULT_PARENT etc)

	SSL-related format codes:

		ssl::bump_mode	SslBump decision for the transaction:

				For CONNECT requests that initiated bumping of
				a connection and for any request received on
				an already bumped connection, Squid logs the
				corresponding SslBump mode ("server-first" or
				"client-first"). See the ssl_bump option for
				more information about these modes.

				A "none" token is logged for requests that
				triggered "ssl_bump" ACL evaluation matching
				either a "none" rule or no rules at all.

				In all other cases, a single dash ("-") is
				logged.

	If ICAP is enabled, the following code becomes available (as
	well as ICAP log codes documented with the icap_log option):

		icap::tt        Total ICAP processing time for the HTTP
				transaction. The timer ticks when ICAP
				ACLs are checked and when ICAP
				transaction is in progress.

	If adaptation is enabled the following three codes become available:

		adapt::<last_h	The header of the last ICAP response or
				meta-information from the last eCAP
				transaction related to the HTTP transaction.
				Like <h, accepts an optional header name
				argument.

		adapt::sum_trs Summed adaptation transaction response
				times recorded as a comma-separated list in
				the order of transaction start time. Each time
				value is recorded as an integer number,
				representing response time of one or more
				adaptation (ICAP or eCAP) transaction in
				milliseconds.  When a failed transaction is
				being retried or repeated, its time is not
				logged individually but added to the
				replacement (next) transaction. See also:
				adapt::all_trs.

		adapt::all_trs All adaptation transaction response times.
				Same as adaptation_strs but response times of
				individual transactions are never added
				together. Instead, all transaction response
				times are recorded individually.

	You can prefix adapt::*_trs format codes with adaptation
	service name in curly braces to record response time(s) specific
	to that service. For example: %{my_service}adapt::sum_trs

	If SSL is enabled, the following formating codes become available:

		%ssl::>cert_subject The Subject field of the received client
				SSL certificate or a dash ('-') if Squid has
				received an invalid/malformed certificate or
				no certificate at all. Consider encoding the
				logged value because Subject often has spaces.

		%ssl::>cert_issuer The Issuer field of the received client
				SSL certificate or a dash ('-') if Squid has
				received an invalid/malformed certificate or
				no certificate at all. Consider encoding the
				logged value because Issuer often has spaces.

	The default formats available (which do not need re-defining) are:

logformat squid      %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %[un %Sh/%<a %mt
logformat common     %>a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st %Ss:%Sh
logformat combined   %>a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh
logformat referrer   %ts.%03tu %>a %{Referer}>h %ru
logformat useragent  %>a [%tl] "%{User-Agent}>h"

	NOTE: When the log_mime_hdrs directive is set to ON.
		The squid, common and combined formats have a safely encoded copy
		of the mime headers appended to each line within a pair of brackets.

	NOTE: The common and combined formats are not quite true to the Apache definition.
		The logs from Squid contain an extra status and hierarchy code appended.