Managing Logs

Traffic Server enables you to control where event log files are located and how much space they can consume. Additionally, you can specify how to handle low disk space in the logging directory.

Choosing the Logging Directory

By default, Traffic Server writes all event log files in the logs directory located in the directory where you installed Traffic Server. To change this location, adjust the value of :ts:cv:`proxy.config.log.logfile_dir` in records.config. You will need to either restart Traffic Server or run the command traffic_line -x for changes to take effect.

Controlling Logging Space

Traffic Server enables you to control the amount of disk space that the logging directory can consume. This allows the system to operate smoothly within a specified space window for a long period of time. After you establish a space limit, Traffic Server continues to monitor the space in the logging directory. When the free space dwindles to the headroom limit, it enters a low space state and takes the following actions:

• If the autodelete option (discussed in Rolling Logs) is enabled, then Traffic Server identifies previously-rolled log files (log files with the .old extension). It starts deleting files one by one, beginning with the oldest file, until it emerges from the low state. Traffic Server logs a record of all deleted files in the system error log.
• If the autodelete option is disabled or there are not enough old log files to delete for the system to emerge from its low space state, then Traffic Server issues a warning and continues logging until space is exhausted. When available space is consumed, event logging stops. Traffic Server resumes event logging when enough space becomes available for it to exit the low space state. To make space available, either explicitly increase the logging space limit or remove files from the logging directory manually.

You can run a cron(8) script in conjunction with Traffic Server to automatically remove old log files from the logging directory before Traffic Server enters the low space state. Relocate the old log files to a temporary partition, where you can run a variety of log analysis scripts. Following analysis, either compress the logs and move to an archive location, or simply delete them.

Setting Log File Management Options

To set log management options, follow the steps below:

1. In the records.config file, edit the following variables
   • :ts:cv:`proxy.config.log.max_space_mb_for_logs`
   • :ts:cv:`proxy.config.log.max_space_mb_headroom`
2. Run the command traffic_line -x to apply the configuration changes.

Rolling Logs

Traffic Server provides automatic log file rolling. At specific intervals during the day or when log files reach a certain size, Traffic Server closes its current set of log files and opens new log files. Depending on the amount of traffic your servers are exposed to, you may find that increasing the frequency of log rolling is beneficial, or even necessary, to maintain manageable log file sets. Traffic Server nodes processing moderately high levels of traffic may want to start by rolling logs every six hours, and adjusting from there.

Log file rolling offers the following benefits:

• It defines an consistent interval over which log analysis can be performed.
• It keeps any single log file from becoming too large and helps to keep the logging system within the specified space limits.
• It provides an easy way to identify files that are no longer being used so that an automated script can clean the logging directory and run log analysis programs.

Rolled Log Filename Format

Traffic Server provides a consistent naming scheme for rolled log files that enables you to easily identify log files. When Traffic Server rolls a log file, it saves and closes the old file before it starts a new file. Traffic Server renames the old file to include the following information:

• The format of the file (such as squid.log).
• The hostname of the Traffic Server that generated the log file.
• Two timestamps separated by a hyphen (-). The first timestamp is a lower bound for the timestamp of the first record in the log file. The lower bound is the time when the new buffer for log records is created. Under low load, the first timestamp in the filename can be different from the timestamp of the first entry. Under normal load, the first timestamp in the filename and the timestamp of the first entry are similar. The second timestamp is an upper bound for the timestamp of the last record in the log file (this is normally the rolling time).
• The suffix .old, which makes it easy for automated scripts to find rolled log files.

Timestamps have the following format:

%Y%M%D.%Hh%Mm%Ss-%Y%M%D.%Hh%Mm%Ss

The following table describes the format:

Format	Description	Sample
%Y	The year in four-digit format.	2000
%M	The month in two-digit format, from 01-12.	07
%D	The day in two-digit format, from 01-31.	19
%H	The hour in two-digit format, from 00-23.	21
%M	The minute in two-digit format, from 00-59.	52
%S	The second in two-digit format, from 00-59.	36

The following is an example of a rolled log filename:

squid.log.mymachine.20110912.12h00m00s-20000913.12h00m00s.old

The logging system buffers log records before writing them to disk. When a log file is rolled, the log buffer might be partially full. If it is, then the first entry in the new log file will have a timestamp earlier than the time of rolling. When the new log file is rolled, its first timestamp will be a lower bound for the timestamp of the first entry.

For example, suppose logs are rolled every three hours, and the first rolled log file is:

squid.log.mymachine.20110912.12h00m00s-19980912.03h00m00s.old

If the lower bound for the first entry in the log buffer at 3:00:00 is 2:59:47, then the next log file will have the following timestamp when rolled:

squid.log.mymachine.20110912.02h59m47s-19980912.06h00m00s.old

The contents of a log file are always between the two timestamps. Log files do not contain overlapping entries, even if successive timestamps appear to overlap.

Rolling Intervals

Log files are rolled at specific intervals relative to a given hour of the day. Three options may be used to control when log files are rolled:

• A file size threshold, which will prevent any individual log from growing too large.
• The offset hour, which is an hour between 0 (midnight) and 23.
• The rolling interval.

Both the offset hour and the rolling interval determine when log file rolling starts. Rolling occurs every rolling interval and at the offset hour. For example, if the rolling interval is six hours and the offset hour is 0 (midnight), then the logs will roll at midnight (00:00), 06:00, 12:00, and 18:00 each day. If the rolling interval is 12 hours and the offset hour is 3, then logs will roll at 03:00 and 15:00 each day.

To set log file rolling options and/or configure Traffic Server to roll log files when they reach a certain size, adjust the following settings in records.config:

1. Enable log rolling with :ts:cv:`proxy.config.log.rolling_enabled`.

   CONFIG proxy.config.log.rolling_enabled INT 1
   

2. Configure the upper limit on log file size with :ts:cv:`proxy.config.log.rolling_size_mb`.

   CONFIG proxy.config.log.rolling_size_mb INT 1024
   

3. Set the offset hour with :ts:cv:`proxy.config.log.rolling_offset_hr`.

   CONFIG proxy.config.log.rolling_offset_hr INT 0
   

4. Set the interval (in seconds) with :ts:cv:`proxy.config.log.rolling_interval_sec`.

   CONFIG proxy.config.log.rolling_interval_sec INT 21600
   

5. Run the command traffic_line -x to apply the configuration changes.

You can fine-tune log file rolling settings for a custom log file in the LogObject specification in logs_xml.config. The custom log file uses the rolling settings in its LogObject, which override the default settings you specify in Traffic Manager or records.config described above.

Separating Logs by Origin

The default log_hosts.config file is located in the Traffic Server config directory. To record HTTP transactions for different origin servers in separate log files, you must specify the hostname of each origin server on a separate line in log_hosts.config. For example, if you specify the keyword sports, then Traffic Server records all HTTP transactions from sports.yahoo.com and www.foxsports.com in a log file called squid-sports.log (if the Squid format is enabled).

重要

If Traffic Server is clustered and you enable log file collation, then you should use the same log_hosts.config file on every Traffic Server node in the cluster.

To edit the log hosts list:

1. Enter the hostname of each origin server on a separate line in log_hosts.config.

   webserver1
   webserver2
   webserver3
   

2. Run the command traffic_ctl config reload to apply the changes.