Appendix D - Event Logging Formats

{HTTP header field name}cqh

Logs the information in the requested field of the client request HTTP header. For example, %<{Accept-Language}cqh> logs the Accept-Language: field in client request headers.

{HTTP header field name}pqh

Logs the information in the requested field of the proxy request HTTP header. For example, %<{Authorization}pqh> logs the Authorization: field in proxy request headers.

{HTTP header field name}psh

Logs the information in the requested field of the proxy response HTTP header. For example, %<{Retry-After}psh> logs the Retry-After: field in proxy response headers.

{HTTP header field name}ssh

Logs the information in the requested field of the server response HTTP header. For example, %<{Age}ssh> logs the Age: field in server response headers.

caun

The client authenticated username; result of the RFC931/ident lookup of the client username.

cfsc

The client finish status code; specifies whether the client request to Traffic Server was successfully completed (FIN) or interrupted (INTR).

chi

The IP address of the client's host machine.

cqbl

The client request transfer length; the body length in the client request to Traffic Server (in bytes).

cqhl

The client request header length; the header length in the client request to Traffic Server.

cqhm

The HTTP method in the client request to Traffic Server: GET, POST, and so on (subset of cqtx).

cqhv

The client request HTTP version.

cqtd

The client request timestamp. Specifies the date of the client request in the format yyyy-mm-dd, where yyyy is the 4-digit year, mm is the 2-digit month, and dd is the 2-digit day.

cqtn

The client request timestamp; date and time of the client's request (in the Netscape timestamp format).

cqtq

The client request timestamp, with millisecond resolution.

cqts

The client-request timestamp in Squid format; the time of the client request since January 1, 1970 UTC. Time is expressed in seconds, with millisecond resolution.

cqtt

The client request timestamp. The time of the client request in the format hh:mm:ss, where hh is the two-digit hour in 24-hour format, mm is the two-digit minutes value, and ss is the 2-digit seconds value (for example, 16:01:19).

cqtx

The full HTTP client request text, minus headers; for example,

GET http://www.company.com HTTP/1.0

In reverse proxy mode, Traffic Server logs the rewritten/mapped URL (according to the rules in the remap.config file), and not the pristine/unmapped URL. To configure Traffic Server to log the original, unmapped URL, set the variable proxy.config.url_remap.pristine_host_hdr in the records.config file to 1 .

cqu

The universal resource identifier (URI) of the request from client to Traffic Server (subset of cqtx ).

In reverse proxy mode, Traffic Server logs the rewritten/mapped URL (according to the rules in the remap.config file), and not the pristine/unmapped URL. To configure Traffic Server to log the original, unmapped URL, set the variable proxy.config.url_remap.pristine_host_hdr in the records.config file to 1 .

cquc

The client request canonical URL. This differs from cqu in that blanks (and other characters that might not be parsed by log analysis tools) are replaced by escape sequences. The escape sequence is a percentage sign followed by the ASCII code number in hex.

In reverse proxy mode, Traffic Server logs the rewritten/mapped URL (according to the rules in the remap.config file), and not the pristine/unmapped URL. To configure Traffic Server to log the original (unmapped) URL, set the proxy.config.url_remap.pristine_host_hdr variable in the records.config file to 1 .

cqup

The client request URL path; specifies the argument portion of the URL (everything after the host).
For example, if the URL is http://www.company.com/images/x.gif , then this field displays /images/x.gif

cqus

The client request URL scheme.

cquuc

The client request unmapped URL canonical. This field records a URL before it is remapped (reverse proxy mode).

crc

The cache result code; specifies how the cache responded to the request (HIT, MISS, and so on).

fsiz

The size of the file (n bytes) as seen by the origin server.

pfsc

The proxy finish status code; specifies whether the Traffic Server request to the origin server was successfully completed (FIN) or interrupted (INTR).

phn

The hostname of the Traffic Server that generated the log entry in collated log files.

phr

The proxy hierarchy route; the route Traffic Server used to retrieve the object.

pqbl

The proxy request transfer length; the body length in Traffic Server's request to the origin server.

pqhl

The proxy request header length; the header length in Traffic Server's request to the origin server.

pqsi

The proxy request server IP address (0 on cache hits and parent-ip for requests to parent proxies).

pqsn

The proxy request server name; the name of the server that fulfilled the request.

prcb

The number of proxy response bytes to the client from the cache.

prob

The number of proxy response bytes to the client from the origin server.

pscl

The length of the Traffic Server response to the client (in bytes).

psct

The content type of the document from server response header: (for example, img / gif ).

pshl

The header length in Traffic Server's response to the client.

psql

The proxy response transfer length in Squid format (includes header and content length).

pssc

The HTTP response status code from Traffic Server to the client.

shi

The IP address resolved from the DNS name lookup of the host in the request. For hosts with multiple IP addresses, this field records the IP address resolved from that particular DNS lookup.
This can be misleading for cached documents. For example: if the first request was a cache miss and came from IP1 for server S and the second request for server S resolved to IP2 but came from the cache, then the log entry for the second request will show IP2.

shn

The hostname of the origin server.

sscl

The response length (in bytes) from origin server to Traffic Server.

sshl

The header length in the origin server response to Traffic Server (in bytes).

sshv

The server response HTTP version (1.0, 1.1, etc.).

sssc

The HTTP response status code from origin server to Traffic Server.

ttms

The time Traffic Server spends processing the client request; the number of milliseconds between the time the client establishes the connection with Traffic Server and the time Traffic Server sends the last byte of the response back to the client.

ttmsf

The time Traffic Server spends processing the client request as a fractional number of seconds. Time is specified in millisecond resolution; however, instead of formatting the output as an integer (as with ttms), the display is formatted as a floating-point number representing a fractional number of seconds.
For example: if the time is 1500 milliseconds, then this field displays 1.5 while the ttms field displays 1500 and the tts field displays 1.

tts

The time Traffic Server spends processing the client request; the number of seconds between the time at which the client establishes the connection with Traffic Server and the time at which Traffic Server sends the last byte of the response back to the client.

time

cqts

elapsed

ttms

client

chi

action/code

crc/pssc

size

psql

method

cqhm

url

cquc

ident

caun

hierarchy/from

phr/pqsn

content

psct

host

chi

usr

caun

[time]

[cqtn]

"req"

"cqtx"

s1

pssc

c1

pscl

host

chi

usr

caun

[time]

[cqtn]

"req"

"cqtx"

s1

pssc

c1

pscl

s2

sssc

c2

sscl

b1

cqbl

b2

pqbl

h1

cqhl

h2

pshl

h3

pqhl

h4

sshl

xt

tts

host

chi

usr

caun

[time]

[cqtn]

"req"

"cqtx"

s1

pssc

c1

pscl

s2

sssc

c2

sscl

b1

cqbl

b2

pqbl

h1

cqhl

h2

pshl

h3

pqhl

h4

sshl

xt

tts

route

phr

pfs

cfsc

ss

pfsc

crc

crc