On 05/04/18 21:39, Peter Viskup wrote: > On Wed, Apr 4, 2018 at 5:42 PM, Amos Jeffries wrote: >> On 04/04/18 21:15, Peter Viskup wrote: >>> On Linux Virtual Server balanced cluster the %<la is empty when Squid >>> errors ERR_ACCESS_DENIED or TCP_MEM_HIT are logged. >>> >>> This is causing issue when processing logs on remote machine (e.g. >>> ELK). The "proxy node" cannot be differentiated. >> >> It sounds to me like you are misinterpreting what is happening and/or >> using the wrong logformat tags/codes. >> >> The denied or HIT transactions you mention *do not* involve any upstream >> server. Thus no upstream server connection. No logformat codes will log >> details from a non-existing thing. >> >> So can you clarify what you mean by "Linux Virtual Server balanced >> cluster" ? >> >> Is that a cluster of LB devices/VM in front (or behind) a Squid proxy? >> or some Squid running on each node of the cluster? >> or something else? > > Two VMs with heartbeat+ldirectord+LVS. Every server running the Squid > proxy. The service IP with LVS configuration (managed by ldirectord) > is made highly available. > Okay. So.. 0) you could also configure a specific unique value in each Squid's logformat definition. So it is explicitly present in all log lines generated by that proxy / node. ... or if you need something more dynamic ... 1) you could use the "note" directive to algorithmically determine (in its ACL matching) a value for %note to record in a shared logformat definition on a per-request, per-node basis. 2) If you have OpenFlows or similar recording of the inbound TCP connections you might use the %>a:%>p:%>la tuplet (client IP:port + Squid-IP) to match up with other info about the client TCP connection. That is the most reliable relationship (as the server connection range from none to many). [ note that %>la and %la may be different in the presence of NAT, TPROXY, or PROXY protocol. ] 3) If the LVS is managing packet routing using TOS or packet markings you could use the %>qos or %>nfmark to explicitly display those in the log file. 4) If the VMs all have unique interface MAC/EUI addresses you could use that uniqueness as node IDs with the %>eui code. 5) you could use all of the codes in #2, #3, and #4 for a 6-tuplet identifier. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
