1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
|
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML><HEAD><TITLE>Man page of QSLOG</TITLE>
<META name='KeyWords' content='Quality of Service, QoS, Apache Web Server, Web application security, WAF, Open Source Software, Security, Proxy'/>
<META name='author' content='Pascal Buchbinder' />
</HEAD><BODY>
<H1>QSLOG</H1>
Section: qslog man page (1)<BR>Updated: May 2023<BR><A HREF="#index">Index</A>
<A HREF="index.html#utilities">Return to Main Contents</A><HR>
<P>
<A NAME="lbAB"> </A>
<H2>NAME</H2>
qslog - collects request statistics from access log data.
<A NAME="lbAC"> </A>
<H2>SYNOPSIS</H2>
qslog -f <format_string> -o <out_file> [-p[c|u[c]] [-v]] [-x [<num>]] [-u <name>] [-m] [-c <path>]
<A NAME="lbAD"> </A>
<H2>DESCRIPTION</H2>
qslog is a real time access log analyzer. It collects the data from stdin. The output is written to the specified file every minute and includes the following entries:
<BR> - requests per second (r/s)
<BR> - number of requests within measured time (req)
<BR> - bytes sent to the client per second (b/s)
<BR> - bytes received from the client per second (ib/s)
<BR> - response status codes within the last minute (1xx,2xx,3xx,4xx,5xx)
<BR> - average response duration (av)
<BR> - average response duration in milliseconds (avms)
<BR> - distribution of response durations in seconds within the last minute
(<1s,1s,2s,3s,4s,5s,>5s)
<BR> - distribution of response durations faster than a second within the last minute
(0-49ms,50-99ms,100-499ms,500-999ms)
<BR> - number of established (new) connections within the measured time (esco)
<BR> - average system load (sl)
<BR> - free memory (m) (not available for all platforms)
<BR> - number of client ip addresses seen withn the last 600 seconds (ip)
<BR> - number of different users seen withn the last 600 seconds (usr)
<BR> - number of events identified by the 'E' format character
<BR> - number of mod_qos events within the last minute (qV=create session,
qv=VIP IP,qS=session pass, qD=access denied, qK=connection closed, qT=dynamic keep-alive, qL=request/response slow down, qs=serialized request, qA=connection abort, qU=new user tracking cookie)
<A NAME="lbAE"> </A>
<H2>OPTIONS</H2>
<DL COMPACT>
<DT>-f <format_string> <DD>
Defines the log data format and the positions of data elements processed by this utility. See to the 'LogFormat' directive of the httpd.conf file to see the format definitions of the servers access log data.
<BR> qslog knows the following elements:
<BR> I defines the client ip address (%h)
<BR> R defines the request line (%r)
<BR> S defines HTTP response status code (%s)
<BR> B defines the transferred bytes (%b or %O)
<BR> i defines the received bytes (%I)
<BR> D defines the request duration in microseconds (%D)
<BR> t defines the request duration in milliseconds (may be used instead of D)
<BR> T defines the request duration in seconds (may be used instead of D or t) (%T)
<BR> k defines the number of keepalive requests on the connection (%k)
<BR> U defines the user tracking id (%{mod_qos_user_id}e)
<BR> Q defines the mod_qos_ev event message (%{mod_qos_ev}e)
<BR> C defines the element for the detailed log (-c option), e.g. "%U"
<BR> s arbitrary counter to add up (sum within a minute)
<BR> a arbitrary counter to build an average from (average per request)
<BR> A arbitrary counter to build an average from (average per request)
<BR> M arbitrary counter to measure the maximum value reached (peak)
<BR> E comma separated list of event strings
<BR> c content type (%{content-type}o), available in -pc mode only
<BR> m request method (GET/POST) (%m), available in -pc mode only
<BR> . defines an element to ignore (unknown string)
<P>
<DT>-o <out_file> <DD>
Specifies the file to store the output to. stdout is used if this option is not defined.
<DT>-p <DD>
Used for post processing when reading the log data from a file (cat/pipe). qslog is started using it's offline mode (extracting the time stamps from the log lines) in order to process existing log files. The option "-pc" may be used alternatively if you want to gather request information per client (identified by IP address (I) or user tracking id (U) showing how many request each client has performed within the captured period of time). "-pc" supports the format characters IURSBTtDkMEcm. The option "-pu" collects statistics on a per URL level (supports format characters RSTtD). "-puc" is very similar to "-pu" but cuts the end (handler) of each URL.
<DT>-v <DD>
Verbose mode.
<DT>-x [<num>] <DD>
Rotates the output file once a day (move). You may specify the number of rotated files to keep. Default are 14.
<DT>-u <name> <DD>
Becomes another user, e.g. www-data.
<DT>-m <DD>
Calculates free system memory every minute.
<DT>-c <path> <DD>
Enables the collection of log statistics for different request types. 'path' specifies the necessary rule file. Each rule consists of a rule identifier and a regular expression to identify a request seprarated by a colon, e.g., 01:^(/a)|(/c). The regular expressions are matched against the log data element which has been identified by the 'C' format character.
</DL>
<A NAME="lbAF"> </A>
<H2>VARIABLES</H2>
The following environment variables are known to qslog:
<DL COMPACT>
<DT>QSEVENTPATH=<path> <DD>
Defines a file containing a comma or new line separated list of known event strings expected within the log filed identified by the 'E' format character.
<DT>QSCOUNTERPATH=<path> <DD>
Defines a file containing a by new line separated list of rules which reflect possible QS_ClientEventLimitCount directive settings (for simulation purpose / -pc option). The 'E' format character defines the event string in the log to match (literal string) the 'event1' and 'event2' event names against.
<P>
Rule syntax: <name>:<event1>-<n>*<event2>/<duration>=<limit>
<BR> 'name' defines the name you have given to the rule entry and is logged along with
with the number of times the 'limit' has been reached within the 'duration'.
<BR> 'event1' defines the variable name (if found in 'E') to increment the counter.
<BR> 'event2' defines the variable name (if found in 'E') to decrement the counter (and
the parameter 'n' defines by how much).
<BR> 'duration' defines the measure interval (in seconds) used for the
QS_ClientEventLimitCount directive.
<BR> 'limit' defines the threshold (number) defined for the QS_ClientEventLimitCount
directive.
<P>
Note: If the 'name' parameter is prefixed by 'STATUS', the rule is applied against the HTTP status code 'S' and the 'event1' string shall contain a list of relevant status codes separated by an underscore (while 'event2' is ignored).
</DL>
<A NAME="lbAG"> </A>
<H2>EXAMPLE</H2>
Configuration using pipped logging:
<P>
<BR> CustomLog "|/usr/bin/qslog -f ISBDQ -x -o /var/log/apache/stat.csv" "%h %>s %b %D %{mod_qos_ev}e"
<P>
Post processing:
<P>
<BR> LogFormat "%t %h \"%r\" %>s %b \"%{User-Agent}i\" %T"
<BR> cat access.log | qslog -f ..IRSB.T -o stat.csv -p
<P>
<A NAME="lbAH"> </A>
<H2>SEE ALSO</H2>
<A HREF="qsdt.1.html">qsdt</A>(1), <A HREF="qsexec.1.html">qsexec</A>(1), <A HREF="qsfilter2.1.html">qsfilter2</A>(1), <A HREF="qsgeo.1.html">qsgeo</A>(1), <A HREF="qsgrep.1.html">qsgrep</A>(1), <A HREF="qshead.1.html">qshead</A>(1), <A HREF="qslogger.1.html">qslogger</A>(1), <A HREF="qspng.1.html">qspng</A>(1), <A HREF="qsre.1.html">qsre</A>(1), <A HREF="qsrespeed.1.html">qsrespeed</A>(1), <A HREF="qsrotate.1.html">qsrotate</A>(1), <A HREF="qssign.1.html">qssign</A>(1), <A HREF="qstail.1.html">qstail</A>(1)
<A NAME="lbAI"> </A>
<H2>AUTHOR</H2>
Pascal Buchbinder, <A HREF="http://mod-qos.sourceforge.net/">http://mod-qos.sourceforge.net/</A>
<P>
<HR>
<A NAME="index"> </A><H2>Index</H2>
<DL>
<DT><A HREF="#lbAB">NAME</A><DD>
<DT><A HREF="#lbAC">SYNOPSIS</A><DD>
<DT><A HREF="#lbAD">DESCRIPTION</A><DD>
<DT><A HREF="#lbAE">OPTIONS</A><DD>
<DT><A HREF="#lbAF">VARIABLES</A><DD>
<DT><A HREF="#lbAG">EXAMPLE</A><DD>
<DT><A HREF="#lbAH">SEE ALSO</A><DD>
<DT><A HREF="#lbAI">AUTHOR</A><DD>
</DL>
<HR>
</BODY>
</HTML>
|
