dumb question: how to get http server IP into logs?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

dumb question: how to get http server IP into logs?

Jason Haar-2
Hi there

We're running squid-3.5.23 and use ICAP (if that makes a difference)

We also use logformat to include certain details in the logs - but I can't see an option for including the actual IP address that squid uses when attempting to fulfil an URL request. eg squid gets told to go to twitter.com, resolves that to 4 IPs, tries 1st - fails, tries 2nd - succeeds. I'd like to record that IP in the logs along with everything else. I can see variables for recording the client and squid-server IP - but not the web server?

Is that possible? I'm sure older (3.2) squid used to do that by default? (DIRECT/1.2.3.4?). All our logs are now "HIER_DIRECT"

Thanks

--
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: dumb question: how to get http server IP into logs?

Amos Jeffries
Administrator
On 30/07/17 22:02, Jason Haar wrote:

> Hi there
>
> We're running squid-3.5.23 and use ICAP (if that makes a difference)
>
> We also use logformat to include certain details in the logs - but I
> can't see an option for including the actual IP address that squid uses
> when attempting to fulfil an URL request. eg squid gets told to go to
> twitter.com <http://twitter.com>, resolves that to 4 IPs, tries 1st -
> fails, tries 2nd - succeeds. I'd like to record that IP in the logs
> along with everything else. I can see variables for recording the client
> and squid-server IP - but not the web server?
>
> Is that possible? I'm sure older (3.2) squid used to do that by default?
> (DIRECT/1.2.3.4? <http://1.2.3.4?>). All our logs are now "HIER_DIRECT"
>

The code you are looking for is %<a .
<http://www.squid-cache.org/Doc/config/logformat/>
"Server IP address of the last server or peer connection"

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: dumb question: how to get http server IP into logs?

Eliezer Croitoru
I looked at:
http://www.squid-cache.org/Doc/config/logformat/

and the default squid logformat:
logformat squid      %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %[un %Sh/%<a %mt

Seems to contain the desired pattern.
Am I missing something?

Eliezer

----
Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: [hidden email]


-----Original Message-----
From: squid-users [mailto:[hidden email]] On Behalf Of Amos Jeffries
Sent: Monday, July 31, 2017 13:22
To: [hidden email]
Subject: Re: [squid-users] dumb question: how to get http server IP into logs?

On 30/07/17 22:02, Jason Haar wrote:

> Hi there
>
> We're running squid-3.5.23 and use ICAP (if that makes a difference)
>
> We also use logformat to include certain details in the logs - but I
> can't see an option for including the actual IP address that squid uses
> when attempting to fulfil an URL request. eg squid gets told to go to
> twitter.com <http://twitter.com>, resolves that to 4 IPs, tries 1st -
> fails, tries 2nd - succeeds. I'd like to record that IP in the logs
> along with everything else. I can see variables for recording the client
> and squid-server IP - but not the web server?
>
> Is that possible? I'm sure older (3.2) squid used to do that by default?
> (DIRECT/1.2.3.4? <http://1.2.3.4?>). All our logs are now "HIER_DIRECT"
>

The code you are looking for is %<a .
<http://www.squid-cache.org/Doc/config/logformat/>
"Server IP address of the last server or peer connection"

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: dumb question: how to get http server IP into logs?

Amos Jeffries
Administrator
On 31/07/17 23:49, Eliezer Croitoru wrote:
> I looked at:
> http://www.squid-cache.org/Doc/config/logformat/
>
> and the default squid logformat:
> logformat squid      %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %[un %Sh/%<a %mt
>
> Seems to contain the desired pattern.
> Am I missing something?

Jason's using a custom format. Sounds to me like they did not simply
copy the example and add bits, but rather made a fully custom one with
only their desired fields.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: dumb question: how to get http server IP into logs?

Jason Haar-2
In reply to this post by Eliezer Croitoru
Thanks for that guys. Dumb mistake - I had "%<A" in there instead of "%<a" :-/

(although it's so 'dumb' that I'm now wondering "did I originally chose that for a reason?". I've just lowercased it - I guess I'll see what breaks ;-)

On Mon, Jul 31, 2017 at 11:49 PM, Eliezer Croitoru <[hidden email]> wrote:
I looked at:
http://www.squid-cache.org/Doc/config/logformat/

and the default squid logformat:
logformat squid      %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %[un %Sh/%<a %mt

Seems to contain the desired pattern.
Am I missing something?

Eliezer

----
Eliezer Croitoru
Linux System Administrator
Mobile: <a href="tel:%2B972-5-28704261" value="+972528704261">+972-5-28704261
Email: [hidden email]


-----Original Message-----
From: squid-users [mailto:[hidden email]] On Behalf Of Amos Jeffries
Sent: Monday, July 31, 2017 13:22
To: [hidden email]
Subject: Re: [squid-users] dumb question: how to get http server IP into logs?

On 30/07/17 22:02, Jason Haar wrote:
> Hi there
>
> We're running squid-3.5.23 and use ICAP (if that makes a difference)
>
> We also use logformat to include certain details in the logs - but I
> can't see an option for including the actual IP address that squid uses
> when attempting to fulfil an URL request. eg squid gets told to go to
> twitter.com <http://twitter.com>, resolves that to 4 IPs, tries 1st -
> fails, tries 2nd - succeeds. I'd like to record that IP in the logs
> along with everything else. I can see variables for recording the client
> and squid-server IP - but not the web server?
>
> Is that possible? I'm sure older (3.2) squid used to do that by default?
> (DIRECT/1.2.3.4? <http://1.2.3.4?>). All our logs are now "HIER_DIRECT"
>

The code you are looking for is %<a .
<http://www.squid-cache.org/Doc/config/logformat/>
"Server IP address of the last server or peer connection"

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users



--
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: dumb question: how to get http server IP into logs?

Eliezer Croitoru
I believe that it's better to ask then staying wondering why the "magic" machine works or doesn't.
There are only extreme cases which to my opinion should not be asked but since I know squid and back about 20 years I have yet to have found a question which shouldn't been asked.
(some needed to be prettified a bit but never to be held back)

All The Bests,
Eliezer

----
http://ngtech.co.il/lmgtfy/
Linux System Administrator
Mobile: +972-5-28704261
Email: [hidden email]


From: squid-users [mailto:[hidden email]] On Behalf Of Jason Haar
Sent: Wednesday, August 9, 2017 11:16
To: squid-users <[hidden email]>
Subject: Re: [squid-users] dumb question: how to get http server IP into logs?

Thanks for that guys. Dumb mistake - I had "%<A" in there instead of "%<a" :-/

(although it's so 'dumb' that I'm now wondering "did I originally chose that for a reason?". I've just lowercased it - I guess I'll see what breaks ;-)

On Mon, Jul 31, 2017 at 11:49 PM, Eliezer Croitoru <mailto:[hidden email]> wrote:
I looked at:
http://www.squid-cache.org/Doc/config/logformat/

and the default squid logformat:
logformat squid      %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %[un %Sh/%<a %mt

Seems to contain the desired pattern.
Am I missing something?

Eliezer

----
Eliezer Croitoru
Linux System Administrator
Mobile: tel:%2B972-5-28704261
Email: mailto:[hidden email]


-----Original Message-----
From: squid-users [mailto:mailto:[hidden email]] On Behalf Of Amos Jeffries
Sent: Monday, July 31, 2017 13:22
To: mailto:[hidden email]
Subject: Re: [squid-users] dumb question: how to get http server IP into logs?

On 30/07/17 22:02, Jason Haar wrote:

> Hi there
>
> We're running squid-3.5.23 and use ICAP (if that makes a difference)
>
> We also use logformat to include certain details in the logs - but I
> can't see an option for including the actual IP address that squid uses
> when attempting to fulfil an URL request. eg squid gets told to go to
> http://twitter.com <http://twitter.com>, resolves that to 4 IPs, tries 1st -
> fails, tries 2nd - succeeds. I'd like to record that IP in the logs
> along with everything else. I can see variables for recording the client
> and squid-server IP - but not the web server?
>
> Is that possible? I'm sure older (3.2) squid used to do that by default?
> (DIRECT/http://1.2.3.4? <http://1.2.3.4?>). All our logs are now "HIER_DIRECT"
>

The code you are looking for is %<a .
<http://www.squid-cache.org/Doc/config/logformat/>
"Server IP address of the last server or peer connection"

Amos
_______________________________________________
squid-users mailing list
mailto:[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
mailto:[hidden email]
http://lists.squid-cache.org/listinfo/squid-users




--
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: dumb question: how to get http server IP into logs?

Amos Jeffries
Administrator
In reply to this post by Jason Haar-2
On 09/08/17 20:15, Jason Haar wrote:
> Thanks for that guys. Dumb mistake - I had "%<A" in there instead of
> "%<a" :-/
>
> (although it's so 'dumb' that I'm now wondering "did I originally chose
> that for a reason?". I've just lowercased it - I guess I'll see what
> breaks ;-)

Upper case is FQDN / rDNS hostname, you may have been trying to emulate
the Squid-2 log behaviour of log_fqdn directive for something processing
the Squid log.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Loading...