Robert wrote: > 192.168.254.14 <User Removed> - [10/Jan/2003:17:05:35 -0500] "GET <snip>
This is in the excellent FAQ under "Squid Log Files? Check here: http://www.squid-cache.org/Doc/FAQ/FAQ-6.html#ss6.6 - it explains the differences between the common log format (that you include above) and the native log format (shown below). > 1042457104.208 194 192.168.254.14 TCP_MISS/200 2109 GET The FAQ entry above also shows you how to convert the date in a native log format line like this one to a readable date using a line like this: #! /usr/bin/perl -p s/^\d+\.\d+/localtime $&/e; Feeding it the line you included above, I get "Mon Jan 13 03:25:04 2003...." > I am unsure why there are what appears to be two different kinds > of logging lines located in the logfile. This change appears sometime in > January of 2003 and I am at a loss as to how to read Snipped 2. Sounds plausible given the above timestamp. It looks like the server was running with the emulate_httpd_log tag set to on, then in January someone either commented it out or switched it to off. The FAQ recommends you keep the native format (which you apparently now have) and just use the above type of perl code to convert to human readable format when/if you need it. I've got an alias so it's a no-brainer. They suggest keeping the native log format because it has more info than the common log format. As of 3.0 and with a patch to 2.5Sx you can get enhanced and customizable logging via Henriks patch (see the post Henrik just made for the 3 things it does - I'm looking forward to trying it out in 3!). hth Adam
