An extended log file contains a sequence of lines containing ASCII characters terminated by either a Line Feed (LF) or the sequence Carriage Return Line Feed (CRLF.) Log file generators must follow the line termination convention for the platform on which they are run.
Log analyzers must accept either LF or CRLF form. Each line may contain either a directive or an entry. If you want to use the W3C Extended log format, enter W3C as the Log-Format argument in the log.conf file.
By default, the standard W3C log format is defined internally as the custom log format, shown as follows:
%{%Y-%m-%d%H:%M:%S}t %a %u %S %A %p %m %U %q %s %j %J %T %H %+
{user-agent}i %+{cookie} i%+{referer}i
For a description of the meaning of this each custom format, see Arguments for Defining a Custom Log Format on page 120. You can also change the order or remove some fields in this W3C log format. For example:
logFormat W3C %{%Y-%m-%d%H:%M:%S}t %m %U W3C log entries are created with the following format:
2001-06-12 12:34:30 GET /sports/football.html
Entries
Entries consist of a sequence of fields relating to a single HTTP transaction. Fields are separated by white space; Citrix recommends the use of tab characters. If a field in a particular entry is not used, a dash (-) marks the omitted field.
Directives
Directives record information about the logging process. Lines beginning with the pound sign (#) contain directives.
The following table describes the directives.
Table 4-6. Directive Descriptions
Directive Description
Version: <integer>.<integer> Displays the version of the extended log file format used. This document defines version 1.0.
Fields: [<specifier>...] Identifies the fields recorded in the log.
Software: <string> Identifies the software that generated the log.
Start-Date: <date> <time> Displays the date and time at which the log was started.
End-Date: <date> <time> Displays the date and time at which logging finished.
Date: <date> <time> Displays the date and time when the entry was added.
Remark: <text> Displays comments. Analysis tools ignore data recorded in this field.
Note: The Version and Fields directives are required. They precede all other entries in the log file.
Example
The following sample log file shows the log entries in W3C Extended log format:
#Version: 1.0
#Fields: time cs-method cs-uri #Date: 12-Jan-1996 00:00:00
00:34:23 GET /sports/football.html 12:21:16 GET /sports/football.html
12:45:52 GET /sports/football.html 12:57:34 GET /sports/football.html
Fields
The Fields directive lists a sequence of field identifiers that specify the information recorded in each entry. Field identifiers may have one of the following forms:
w identifier: Relates to the transaction as a whole.
w prefix-identifier: Relates to information transfer between parties defined by the value prefix.
w prefix (header): Specifies the value of the HTTP header field header for transfer between parties defined by the value prefix. Fields specified in this manner always have the type <string>.
The following table describes defined prefixes.
Table 4-7. Prefix Descriptions
Prefix Specifies
c Client
s Server
r Remote
cs Client to server
sc Server to client
sr Server to remote server (prefix used by
proxies)
rs Remote server to server (prefix used by
proxies)
x Application-specific identifier
Examples
The following examples are defined identifiers that use prefixes:
cs-method: The method in the request sent by the client to the server.
sc(Referer): The Referer field in the reply.
c-ip: The IP address of the client.
Identifiers
The following table describes the W3C Extended log format identifiers that do not
Table 4-8. W3C Extended Log Format Identifiers (No Prefix Required)
Identifier Description
date The date on which the transaction was
done.
time The time when the transaction is done.
time-taken The time taken (in seconds) for the
transaction to complete.
bytes The number of bytes transferred.
cached Records whether a cache hit has
occurred. A zero indicates a cache miss.
The following table describes the W3C Extended log format identifiers that require a prefix.
Table 4-9. W3C Extended Log Format Identifiers (Requires a Prefix)
Identifier Description
IP The IP address and the port number.
dns The DNS name.
status The status code.
comment The comment returned with status code.
method The method.
url The URL.
url-stem The stem portion of the URL.
url-query The query portion of the URL.
The W3C Extended Log file format allows you to choose log fields. These fields are shown in the following table.
Table 4-10. W3C Extended Log File Format (Allows Log Fields)
Field Description
Date The date on which the transaction is done.
Time The time when the transaction is done.
Client IP The IP address of the client.
Field Description
User Name The user name.
Service Name The service name, which is always HTTP.
Server IP The server IP address.
Server Port The server port number
Method The request method (for example; GET,
POST).
Url Stem The URL stem.
Url Query The query portion of the URL.
Http Status The status code in the response.
Bytes Sent The number of bytes sent to the server
(request size, including HTTP headers).
Bytes Received The number of bytes received from the
server (response size, including HTTP headers).
Time Taken The time taken for transaction to
complete, in seconds.
Protocol Version The version number of HTTP being used
by the client.
User Agent The User-Agent field in the HTTP
protocol.
Cookie The Cookie field of the HTTP protocol.
Referer The Referer field of the HTTP protocol.