Sawmill Discussion Forum - Squid proxy log analysis


	7.2.9

Sawmill Discussion Forum

Subject: "Squid proxy log analysis"

Archived thread - Read only
Previous Topic | Next Topic

Conferences Support Topic #1415
Printer-friendly copy Email this topic to a friend
Reading Topic #1415

gbdickinson
Member since May-16-03
6 posts

Feb-24-04, 07:52 PM (PDT)

Click to send private message to gbdickinson

Click to add this user to your buddy list

"Squid proxy log analysis"

Hello all

I have a weird issue. I am using 6.5.8 to analyze proxy logs from squid 2.4 running on Red Hat 8. I have logrotate configured to drop the access.log every morning at 4:00 am, and I have a configuration set to read the access.log.1.gz and add the data to the database. Sawmill autodetects the log format, but when I build the databse I get "Rebuilt database. (Reading log data from file /var/log/squid/.). Processed 859,637 lines, 57M of log data, added 429,818 entries in 7 minutes, 54 seconds."

Why is the added lines lower than the processed lines, and how would I go about finding out why it is adding lower? BTW - if I gunzip the access.log.1.gz file and count the lines in it, I get 429,819, and the log file is actually around 57 megs of data.

Printer-friendly page | Top

i21
Member since Mar-21-02
1791 posts

Feb-26-04, 07:51 AM (PDT)

1. "RE: Squid proxy log analysis"
In response to message #0

This is a technicality really. Sawmill’s processing engine reads some log formats differently to others.

In this format Sawmill may be making more than one "pass" on each line to create a "virtual log line" and so Sawmill counts this as two lines processed (as it has two jobs on that log line).

Basically it is nothing to worry about.

Cheers,
--
Graham

Printer-friendly page | Top

Conferences | Topics | Previous Topic | Next Topic

Home Lite Professional Enterprise Samples FAQ Downloads Purchase Manual Support Contact Us