How do I configure Inktomi Traffic Server to produce WELF log files?


This article applies to:

  • Firewall Suite

Question:

How do I configure Inktomi Traffic Server to produce WELF log files?

Procedure:

For versions of Traffic Server earlier than 4.0:

To activate custom logging you must manually define an entry for WELF in the logs.config file.

To manually define an entry:

  1. Open the logs.config file in a text editor.

  2. Insert the following, making sure that it is all entered on a single line:

    format:enabled:1:welf:id=firewall time="%<cqtd> %<cqtt>" fw=%<phn> pri=6 proto=%<cqus> duration=%<ttmsf> sent=%<psql> rcvd=%<cqhl> src=%<chi> dst=%<shi> dstname=%<shn> user=%<caun> op=%<cqhm> arg="%<cqup>" result=%<pssc> ref="%<{Referer}cqh>" agent="%<{user-agent}cqh>" cache=%<crc>:welf:ASCII:# INKTOMI WELF

  3. If you are using any other custom format in the logs.config file, change the 1 in this portion of the code: format:enabled:1 to any number that is not used by one of the other formats (each format should have a unique identifier).


For versions of Traffic Server greater than 4.0:

Traffic Sever versions 4.0 and later support the WELF format in the XML-based custom configuration format as well as in the traditional custom log format. These versions have predefined entries for WELF in both the logs.config and logs_xml.config files, so you do not have to configure them manually.

Notes:

Traffic Server stores all log files in the directory specified by the Log Directory text box in the Logging page of the Configure tab in the user interface of the WebTrends application. This is equivalent to the configuration variable located in the records.config file:

    proxy.config.log2.logfile_dir

The actual log file you should use depends on the configuration of the Traffic Server. Normally this file is called welf.log, but you may change the name to your liking.

The Traffic Server can output access logs in several built-in formats (squid, Netscape common, extended, and extended2) or in user-defined custom formats. Support for the WebTrends Extended Log File (WELF) format is achieved through the custom log facility.

Before you can use the custom log facility of Traffic Server, you must perform the following operations:

  • Define a custom format.

  • Activate custom logging.


These operations are discussed in the following section.

The Traffic Server provides two ways of defining a custom format. One is the "traditional" style, using the configuration file logs.config. While this style is very simple to use, it is not particularly flexible. The second way to define a custom format involves a more powerful and flexible XML-based style that uses the logs_xml.config file. If you are using a Traffic Server version earlier than 4.0, support for the WebTrends Extended Log File (WELF) format is limited to the "traditional" style. However, versions 4.0 and later support both the traditional and the XML-based styles.

This article was previously published as:
NETIQKB1496

Last Modified 4/13/2006.
https://support.trustwave.com/kb/KnowledgebaseArticle10275.aspx