Home > Cisco, Linux, Proxy, Windows > Ironport & Squid log interpretation

Ironport & Squid log interpretation

Useful compilation for Squid-based proxies.

Log entry:

1215535247.487 123 172.20.11.222 TCP_MISS/200 14148 GET http://www.cisco.com/
DIRECT/www.cisco.com text/html

Interpretation of all fields:

1215535247.487 = %t Time stamp in Unix time

123 = %e elapsed time

172.20.11.222 = %a Client IP address

TCP_MISS = %w Transactional result code
  • NONE – Neither a hit nor a miss, indicates an error in the transaction
  • TCP_MEM_HIT – Object was cached in memory
  • TCP_DENIED – Access Denied
  • TCP_HIT – A valid copy of the requested object was in the cache.
  • TCP_MISS – The requested object was not in the cache.
  • TCP_REFRESH_HIT – An expired copy of the requested object was in the cache.
  • Squid made an If-Modified-Since request and the response was “Not Modified.”
  • TCP_REFRESH_FAIL_HIT An expired copy of the requested object was in the
  • cache. Squid attempted to make an If-Modified-Since request, but it failed.
  • The old (stale) object was delivered to the client.
  • TCP_REFRESH_MISS – An expired copy of the requested object was in the cache.
  • Squid made an If-Modified-Since request and received a new, different
  • object. TCP_CLIENT_REFRESH The client issued a request with the “no-cache”
  • pragma. (“reload” – handled as MISS)
  • TCP_IMS_HIT – An If-Modified-Since GET request was received from the client.
  • A valid copy of the object was in the cache (fresh).
  • TCP_IMS_MISS – An If-Modified-Since GET request was received from the
  • client. The requested object was not in the cache (stale).
  • TCP_SWAPFAIL – The object was believed to be in the cache, but could not be
  • accessed. TCP_DENIED Access was denied for this request.
200 = %h HTTP Response Code
  • 200 – OK
  • 204 – No Content
  • 206 – Partial content
  • 301 – Moved Permanenatly
  • 302 – Found (over there)
  • 304 – Not modified
  • 305 – Use Proxy
  • 307 – Temporary Redirect
  • 401 – Unauthorized
  • 403 – Forbidden
  • 404 – Not Found
  • 405 – Method not allowed
  • 407 – Proxy Authorization Required
  • 503 – Service Unavailable
  • 504 – Gateway timeout
14148 = %s Total bytes transferred

GET http://www.cisco.com/ = %r Request method URI

DIRECT/www.cisco.com = %H – Cache hierchy retrieval
  • NONE – No request made
  • DIRECT – request went directly to server
  • DEFAULT_PARENT – Single upstream proxy or failover
  • LEASTBUSY_PARENT – Fewest Connections
  • HASHBASED_PARENT – Hash based load balancing
  • LEASTRECENT_PARENT – Least recently used
  • ROUNDROBIN_PARENT – Round robin load balancing
text/html = %c – MIME content type/subtype
  • text/plain – simple text

To convert the time stamp into a human readable format I use this formula in Excel:

=((A1/86400)+25569)

If you then set cell format to

dd/mm/yyyy hh:mm:ss.000

You will get proper picture:

Image

Advertisements
Categories: Cisco, Linux, Proxy, Windows
  1. john aebb
    December 17, 2013 at 8:17 am

    Thanks a lot for your help buddy

  1. April 5, 2014 at 10:43 pm

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: