On Fri, 25 Feb 2005 12:54:30 -0600, Kevin <kkadow@xxxxxxxxx> wrote:
Has anybody put together a good patch for Squid (2.5.X) to record access information via syslog instead of writing to disk? It looks like I could simply modify logfilePrintf() in logfile.c?
While it's bad form to reply to one's own post, yes, it really is that simple, I wrapped the logfilePrintf calls in access_log.c with if statements.
(P.S. Yes, I fully understand the various issues with and drawbacks of using "syslog" for access logs, particularly across a network.)
That said, here is a functional (beta) patch for sending access_log to syslog, use at your own risk. To enable syslog logging, change cache_access_log in squid.conf to read "cache_access_log syslog".
Hello Kevin,
yes, I also wanted to log access-log records via syslog to another machine (a log server in the same network) - I modified the code basically the same way you did.
But I noticed that the access-log on the log server was not complete! During peaktime (when Squid served more than 150 requests/sec), there were lines of access-log lost. To be sure this was the case, I inserted a counter in every access-log line and really, there were gaps in the numbers in the access-log on the log server.
I guess the reason was that syslog logging over the network uses udp and does not bother when it is overloaded.
So I had to change the logging logic to the following one:
log only error (HTTP status code >= 400) access-log records via syslog
log all access-log locally, but rotate the access-log regularly(so I have the complete records for at least last 10 hours)
Syslog on the log server holds all error access-logs for several days and if I am lucky and the error I am interested in occurred within last 10 hours, I can check the complete log on the Squid machine.
Best regards, Marji
