summaryrefslogtreecommitdiffstats
path: root/doc/qslog.1.html
diff options
context:
space:
mode:
Diffstat (limited to 'doc/qslog.1.html')
-rw-r--r--doc/qslog.1.html146
1 files changed, 146 insertions, 0 deletions
diff --git a/doc/qslog.1.html b/doc/qslog.1.html
new file mode 100644
index 0000000..349bf22
--- /dev/null
+++ b/doc/qslog.1.html
@@ -0,0 +1,146 @@
+
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
+<HTML><HEAD><TITLE>Man page of QSLOG</TITLE>
+<META name='KeyWords' content='Quality of Service, QoS, Apache Web Server, Web application security, WAF, Open Source Software, Security, Proxy'/>
+<META name='author' content='Pascal Buchbinder' />
+</HEAD><BODY>
+<H1>QSLOG</H1>
+Section: qslog man page (1)<BR>Updated: May 2023<BR><A HREF="#index">Index</A>
+<A HREF="index.html#utilities">Return to Main Contents</A><HR>
+
+<P>
+<A NAME="lbAB">&nbsp;</A>
+<H2>NAME</H2>
+
+qslog - collects request statistics from access log data.
+<A NAME="lbAC">&nbsp;</A>
+<H2>SYNOPSIS</H2>
+
+qslog -f &lt;format_string&gt; -o &lt;out_file&gt; [-p[c|u[c]] [-v]] [-x [&lt;num&gt;]] [-u &lt;name&gt;] [-m] [-c &lt;path&gt;]
+<A NAME="lbAD">&nbsp;</A>
+<H2>DESCRIPTION</H2>
+
+qslog is a real time access log analyzer. It collects the data from stdin. The output is written to the specified file every minute and includes the following entries:
+<BR>&nbsp;&nbsp;-&nbsp;requests&nbsp;per&nbsp;second&nbsp;(r/s)
+<BR>&nbsp;&nbsp;-&nbsp;number&nbsp;of&nbsp;requests&nbsp;within&nbsp;measured&nbsp;time&nbsp;(req)
+<BR>&nbsp;&nbsp;-&nbsp;bytes&nbsp;sent&nbsp;to&nbsp;the&nbsp;client&nbsp;per&nbsp;second&nbsp;(b/s)
+<BR>&nbsp;&nbsp;-&nbsp;bytes&nbsp;received&nbsp;from&nbsp;the&nbsp;client&nbsp;per&nbsp;second&nbsp;(ib/s)
+<BR>&nbsp;&nbsp;-&nbsp;response&nbsp;status&nbsp;codes&nbsp;within&nbsp;the&nbsp;last&nbsp;minute&nbsp;(1xx,2xx,3xx,4xx,5xx)
+<BR>&nbsp;&nbsp;-&nbsp;average&nbsp;response&nbsp;duration&nbsp;(av)
+<BR>&nbsp;&nbsp;-&nbsp;average&nbsp;response&nbsp;duration&nbsp;in&nbsp;milliseconds&nbsp;(avms)
+<BR>&nbsp;&nbsp;-&nbsp;distribution&nbsp;of&nbsp;response&nbsp;durations&nbsp;in&nbsp;seconds&nbsp;within&nbsp;the&nbsp;last&nbsp;minute
+(&lt;1s,1s,2s,3s,4s,5s,&gt;5s)
+<BR>&nbsp;&nbsp;-&nbsp;distribution&nbsp;of&nbsp;response&nbsp;durations&nbsp;faster&nbsp;than&nbsp;a&nbsp;second&nbsp;within&nbsp;the&nbsp;last&nbsp;minute
+(0-49ms,50-99ms,100-499ms,500-999ms)
+<BR>&nbsp;&nbsp;-&nbsp;number&nbsp;of&nbsp;established&nbsp;(new)&nbsp;connections&nbsp;within&nbsp;the&nbsp;measured&nbsp;time&nbsp;(esco)
+<BR>&nbsp;&nbsp;-&nbsp;average&nbsp;system&nbsp;load&nbsp;(sl)
+<BR>&nbsp;&nbsp;-&nbsp;free&nbsp;memory&nbsp;(m)&nbsp;(not&nbsp;available&nbsp;for&nbsp;all&nbsp;platforms)
+<BR>&nbsp;&nbsp;-&nbsp;number&nbsp;of&nbsp;client&nbsp;ip&nbsp;addresses&nbsp;seen&nbsp;withn&nbsp;the&nbsp;last&nbsp;600&nbsp;seconds&nbsp;(ip)
+<BR>&nbsp;&nbsp;-&nbsp;number&nbsp;of&nbsp;different&nbsp;users&nbsp;seen&nbsp;withn&nbsp;the&nbsp;last&nbsp;600&nbsp;seconds&nbsp;(usr)
+<BR>&nbsp;&nbsp;-&nbsp;number&nbsp;of&nbsp;events&nbsp;identified&nbsp;by&nbsp;the&nbsp;'E'&nbsp;format&nbsp;character
+<BR>&nbsp;&nbsp;-&nbsp;number&nbsp;of&nbsp;mod_qos&nbsp;events&nbsp;within&nbsp;the&nbsp;last&nbsp;minute&nbsp;(qV=create&nbsp;session,
+qv=VIP IP,qS=session pass, qD=access denied, qK=connection closed, qT=dynamic keep-alive, qL=request/response slow down, qs=serialized request, qA=connection abort, qU=new user tracking cookie)
+<A NAME="lbAE">&nbsp;</A>
+<H2>OPTIONS</H2>
+
+<DL COMPACT>
+<DT>-f &lt;format_string&gt; <DD>
+Defines the log data format and the positions of data elements processed by this utility. See to the 'LogFormat' directive of the httpd.conf file to see the format definitions of the servers access log data.
+<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;qslog&nbsp;knows&nbsp;the&nbsp;following&nbsp;elements:
+<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;I&nbsp;defines&nbsp;the&nbsp;client&nbsp;ip&nbsp;address&nbsp;(%h)
+<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;R&nbsp;defines&nbsp;the&nbsp;request&nbsp;line&nbsp;(%r)
+<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;S&nbsp;defines&nbsp;HTTP&nbsp;response&nbsp;status&nbsp;code&nbsp;(%s)
+<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;B&nbsp;defines&nbsp;the&nbsp;transferred&nbsp;bytes&nbsp;(%b&nbsp;or&nbsp;%O)
+<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;i&nbsp;defines&nbsp;the&nbsp;received&nbsp;bytes&nbsp;(%I)
+<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;D&nbsp;defines&nbsp;the&nbsp;request&nbsp;duration&nbsp;in&nbsp;microseconds&nbsp;(%D)
+<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;t&nbsp;defines&nbsp;the&nbsp;request&nbsp;duration&nbsp;in&nbsp;milliseconds&nbsp;(may&nbsp;be&nbsp;used&nbsp;instead&nbsp;of&nbsp;D)
+<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;T&nbsp;defines&nbsp;the&nbsp;request&nbsp;duration&nbsp;in&nbsp;seconds&nbsp;(may&nbsp;be&nbsp;used&nbsp;instead&nbsp;of&nbsp;D&nbsp;or&nbsp;t)&nbsp;(%T)
+<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;k&nbsp;defines&nbsp;the&nbsp;number&nbsp;of&nbsp;keepalive&nbsp;requests&nbsp;on&nbsp;the&nbsp;connection&nbsp;(%k)
+<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;U&nbsp;defines&nbsp;the&nbsp;user&nbsp;tracking&nbsp;id&nbsp;(%{mod_qos_user_id}e)
+<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Q&nbsp;defines&nbsp;the&nbsp;mod_qos_ev&nbsp;event&nbsp;message&nbsp;(%{mod_qos_ev}e)
+<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;C&nbsp;defines&nbsp;the&nbsp;element&nbsp;for&nbsp;the&nbsp;detailed&nbsp;log&nbsp;(-c&nbsp;option),&nbsp;e.g.&nbsp;&quot;%U&quot;
+<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;s&nbsp;arbitrary&nbsp;counter&nbsp;to&nbsp;add&nbsp;up&nbsp;(sum&nbsp;within&nbsp;a&nbsp;minute)
+<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;a&nbsp;arbitrary&nbsp;counter&nbsp;to&nbsp;build&nbsp;an&nbsp;average&nbsp;from&nbsp;(average&nbsp;per&nbsp;request)
+<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;A&nbsp;arbitrary&nbsp;counter&nbsp;to&nbsp;build&nbsp;an&nbsp;average&nbsp;from&nbsp;(average&nbsp;per&nbsp;request)
+<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;M&nbsp;arbitrary&nbsp;counter&nbsp;to&nbsp;measure&nbsp;the&nbsp;maximum&nbsp;value&nbsp;reached&nbsp;(peak)
+<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;E&nbsp;comma&nbsp;separated&nbsp;list&nbsp;of&nbsp;event&nbsp;strings
+<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;c&nbsp;content&nbsp;type&nbsp;(%{content-type}o),&nbsp;available&nbsp;in&nbsp;-pc&nbsp;mode&nbsp;only
+<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;m&nbsp;request&nbsp;method&nbsp;(GET/POST)&nbsp;(%m),&nbsp;available&nbsp;in&nbsp;-pc&nbsp;mode&nbsp;only
+<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;.&nbsp;defines&nbsp;an&nbsp;element&nbsp;to&nbsp;ignore&nbsp;(unknown&nbsp;string)
+<P>
+<DT>-o &lt;out_file&gt; <DD>
+Specifies the file to store the output to. stdout is used if this option is not defined.
+<DT>-p <DD>
+Used for post processing when reading the log data from a file (cat/pipe). qslog is started using it's offline mode (extracting the time stamps from the log lines) in order to process existing log files. The option &quot;-pc&quot; may be used alternatively if you want to gather request information per client (identified by IP address (I) or user tracking id (U) showing how many request each client has performed within the captured period of time). &quot;-pc&quot; supports the format characters IURSBTtDkMEcm. The option &quot;-pu&quot; collects statistics on a per URL level (supports format characters RSTtD). &quot;-puc&quot; is very similar to &quot;-pu&quot; but cuts the end (handler) of each URL.
+<DT>-v <DD>
+Verbose mode.
+<DT>-x [&lt;num&gt;] <DD>
+Rotates the output file once a day (move). You may specify the number of rotated files to keep. Default are 14.
+<DT>-u &lt;name&gt; <DD>
+Becomes another user, e.g. www-data.
+<DT>-m <DD>
+Calculates free system memory every minute.
+<DT>-c &lt;path&gt; <DD>
+Enables the collection of log statistics for different request types. 'path' specifies the necessary rule file. Each rule consists of a rule identifier and a regular expression to identify a request seprarated by a colon, e.g., 01:^(/a)|(/c). The regular expressions are matched against the log data element which has been identified by the 'C' format character.
+</DL>
+<A NAME="lbAF">&nbsp;</A>
+<H2>VARIABLES</H2>
+
+The following environment variables are known to qslog:
+<DL COMPACT>
+<DT>QSEVENTPATH=&lt;path&gt; <DD>
+Defines a file containing a comma or new line separated list of known event strings expected within the log filed identified by the 'E' format character.
+<DT>QSCOUNTERPATH=&lt;path&gt; <DD>
+Defines a file containing a by new line separated list of rules which reflect possible QS_ClientEventLimitCount directive settings (for simulation purpose / -pc option). The 'E' format character defines the event string in the log to match (literal string) the 'event1' and 'event2' event names against.
+<P>
+Rule syntax: &lt;name&gt;:&lt;event1&gt;-&lt;n&gt;*&lt;event2&gt;/&lt;duration&gt;=&lt;limit&gt;
+<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;'name'&nbsp;defines&nbsp;the&nbsp;name&nbsp;you&nbsp;have&nbsp;given&nbsp;to&nbsp;the&nbsp;rule&nbsp;entry&nbsp;and&nbsp;is&nbsp;logged&nbsp;along&nbsp;with
+with the number of times the 'limit' has been reached within the 'duration'.
+<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;'event1'&nbsp;defines&nbsp;the&nbsp;variable&nbsp;name&nbsp;(if&nbsp;found&nbsp;in&nbsp;'E')&nbsp;to&nbsp;increment&nbsp;the&nbsp;counter.
+<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;'event2'&nbsp;defines&nbsp;the&nbsp;variable&nbsp;name&nbsp;(if&nbsp;found&nbsp;in&nbsp;'E')&nbsp;to&nbsp;decrement&nbsp;the&nbsp;counter&nbsp;(and
+the parameter 'n' defines by how much).
+<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;'duration'&nbsp;defines&nbsp;the&nbsp;measure&nbsp;interval&nbsp;(in&nbsp;seconds)&nbsp;used&nbsp;for&nbsp;the
+QS_ClientEventLimitCount directive.
+<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;'limit'&nbsp;defines&nbsp;the&nbsp;threshold&nbsp;(number)&nbsp;defined&nbsp;for&nbsp;the&nbsp;QS_ClientEventLimitCount
+directive.
+<P>
+Note: If the 'name' parameter is prefixed by 'STATUS', the rule is applied against the HTTP status code 'S' and the 'event1' string shall contain a list of relevant status codes separated by an underscore (while 'event2' is ignored).
+</DL>
+<A NAME="lbAG">&nbsp;</A>
+<H2>EXAMPLE</H2>
+
+Configuration using pipped logging:
+<P>
+<BR>&nbsp;&nbsp;CustomLog&nbsp;&quot;|/usr/bin/qslog&nbsp;-f&nbsp;ISBDQ&nbsp;-x&nbsp;-o&nbsp;/var/log/apache/stat.csv&quot;&nbsp;&quot;%h&nbsp;%&gt;s&nbsp;%b&nbsp;%D&nbsp;%{mod_qos_ev}e&quot;
+<P>
+Post processing:
+<P>
+<BR>&nbsp;&nbsp;LogFormat&nbsp;&quot;%t&nbsp;%h&nbsp;\&quot;%r\&quot;&nbsp;%&gt;s&nbsp;%b&nbsp;\&quot;%{User-Agent}i\&quot;&nbsp;%T&quot;
+<BR>&nbsp;&nbsp;cat&nbsp;access.log&nbsp;|&nbsp;qslog&nbsp;-f&nbsp;..IRSB.T&nbsp;-o&nbsp;stat.csv&nbsp;-p
+<P>
+<A NAME="lbAH">&nbsp;</A>
+<H2>SEE ALSO</H2>
+
+<A HREF="qsdt.1.html">qsdt</A>(1), <A HREF="qsexec.1.html">qsexec</A>(1), <A HREF="qsfilter2.1.html">qsfilter2</A>(1), <A HREF="qsgeo.1.html">qsgeo</A>(1), <A HREF="qsgrep.1.html">qsgrep</A>(1), <A HREF="qshead.1.html">qshead</A>(1), <A HREF="qslogger.1.html">qslogger</A>(1), <A HREF="qspng.1.html">qspng</A>(1), <A HREF="qsre.1.html">qsre</A>(1), <A HREF="qsrespeed.1.html">qsrespeed</A>(1), <A HREF="qsrotate.1.html">qsrotate</A>(1), <A HREF="qssign.1.html">qssign</A>(1), <A HREF="qstail.1.html">qstail</A>(1)
+<A NAME="lbAI">&nbsp;</A>
+<H2>AUTHOR</H2>
+
+Pascal Buchbinder, <A HREF="http://mod-qos.sourceforge.net/">http://mod-qos.sourceforge.net/</A>
+<P>
+
+<HR>
+<A NAME="index">&nbsp;</A><H2>Index</H2>
+<DL>
+<DT><A HREF="#lbAB">NAME</A><DD>
+<DT><A HREF="#lbAC">SYNOPSIS</A><DD>
+<DT><A HREF="#lbAD">DESCRIPTION</A><DD>
+<DT><A HREF="#lbAE">OPTIONS</A><DD>
+<DT><A HREF="#lbAF">VARIABLES</A><DD>
+<DT><A HREF="#lbAG">EXAMPLE</A><DD>
+<DT><A HREF="#lbAH">SEE ALSO</A><DD>
+<DT><A HREF="#lbAI">AUTHOR</A><DD>
+</DL>
+<HR>
+
+</BODY>
+</HTML>