Schema ID: proxy
Timestamp Field: time
This DLF file is adequate to represent most common informations about web proxy events. It has the same information as found in most proxy-like servers log files.
This schema is adequate for proxy servers beyond web proxys servers. It can be used for socks and other types of connection-level proxies.
The DLF schema was designed by studying the WebTrends Enhanced Log Format, squid log files and thinking about SOCKS type of server.
Fields in the Schema
Type: timestamp
Defaults: 0
The time at which the request was initiated.
Type: ip
Defaults: -
The IP address of the client.
Type: hostname
Defaults: -
The hostname of the client.
Type: string
Defaults: -
If the client was authenticated, this field should contains the authenticated username.
Type: duration
Defaults: 0
The time taken by the connection.
Type: string
Defaults: -
Result code for the cache TCP_MISS, TCP_HIT, etc. List is available on Squid page, and in squid_access2dlf(1). All DLF converter should map their native value to the squid's one which is very complete and exhaustive.
Type: int
Defaults: -
HTTP result of the request. e.g. 200 or 404.
Type: string
Defaults: -
The protocol of the proxied request: ftp, http, https, telnet, etc.
Type: string
Defaults: -
The protocol used between the client and the proxy server. This is probably TCP, but can be UDP in some case (like SOCKS or ICP).
Type: ip
Defaults: -
The ip address of the destination.
Type: hostname
Defaults: -
The hostname of the destination. In the case of web proxy, that will be the website
Type: port
Defaults: -
Port of the destination used in IP session
Type: string
Defaults: -
This field should only be defined in the case of web proxy requests. This should contains the HTTP method requested like GET or POST.
Type: url
Defaults: -
This field should only be defined in the case of web proxy request. It should contains the URL requested on the remote server.
Type: bytes
Defaults: -
The number of bytes transferred from proxy server to the client
Type: string
Defaults: -
This field should only be defined for web proxy servers, it should contains the MIME type of the HTTP request's result (e.g. text/html or image/jpeg).
Type: string
Defaults: -
This field contains the configuration rule's name that was used to accept or deny to request.
Type: string
Defaults: -
The useragent used by the client. E.g. 'Mozilla/4.0 (compatible; MSIE 5.0; Win32)' or 'Outlook Express/5.0 (MSIE 5.0; Windows 98; DigExt)'
Type: string
Defaults: -
Code qualifying the next two fields. (i.e. NONE, DIRECT, PARENT_HIT, etc.) All DLF converter should map their native value to the squid's one which is very complete and exhaustive.
Type: ip
Defaults: -
The IP address of the server which handled the request, i.e. destination or other cache
Type: hostname
Defaults: -
The hostname of the server that handled the request and gave the result.
Type: port
Defaults: -
Port on referring host used in IP session.
Type: string
Defaults: -
This field contains either the value block or pass. It is used when access control is based on content filtering.
Type: string
Defaults: -
If the proxy server is doing content analysis, this field should contains the category for the requested website.
Type: int
Defaults: -
Level can be 1 or 2. 1 meaning "no no" categories. 2 meaning "family fun" categories. This was taken from the WELF specification.
Type: string
Defaults: -
Like cat_site, but for the actual page.
Type: int
Defaults: -
Like catlevel_site, but for the actual page.