Kevin wrote:
> On Fri, 25 Feb 2005 12:54:30 -0600, Kevin <kkadow@gmail.com> wrote:
>
>>Has anybody put together a good patch for Squid (2.5.X) to record access
>>information via syslog instead of writing to disk? It looks like I could simply
>>modify logfilePrintf() in logfile.c?
>
>
> While it's bad form to reply to one's own post, yes, it really is that simple,
> I wrapped the logfilePrintf calls in access_log.c with if statements.
>
>
>>(P.S. Yes, I fully understand the various issues with and drawbacks of
>>using "syslog" for access logs, particularly across a network.)
>
>
> That said, here is a functional (beta) patch for sending access_log to syslog,
> use at your own risk. To enable syslog logging, change cache_access_log
> in squid.conf to read "cache_access_log syslog".
Hello Kevin,
yes, I also wanted to log access-log records via syslog to another
machine (a log server in the same network) - I modified the code
basically the same way you did.
But I noticed that the access-log on the log server was not complete!
During peaktime (when Squid served more than 150 requests/sec), there
were lines of access-log lost. To be sure this was the case, I inserted
a counter in every access-log line and really, there were gaps in the
numbers in the access-log on the log server.
I guess the reason was that syslog logging over the network uses udp and
does not bother when it is overloaded.
So I had to change the logging logic to the following one:
log only error (HTTP status code >= 400) access-log records via syslog
log all access-log locally, but rotate the access-log regularly(so I
have the complete records for at least last 10 hours)
Syslog on the log server holds all error access-logs for several days
and if I am lucky and the error I am interested in occurred within last
10 hours, I can check the complete log on the Squid machine.
Best regards,
Marji
Received on Mon Feb 28 2005 - 23:18:45 MST
This archive was generated by hypermail pre-2.1.9 : Tue Mar 01 2005 - 12:00:03 MST