Make squidanalyser able to parse multiple access.log concatenation (timecodes not correctly sorted)

Question

Make squidanalyser able to parse multiple access.log concatenation (timecodes not correctly sorted)

JFRANCOI opened this issue 7 years ago · 2 comments

Hello,

I wish to squidanalyze many squid process through a single squidanalyser report. So I've used rsyslog to concatenate access.log from many squid inside a single file that's used by squidanalyzer.
The problem is squidanalyzer refuses to process because sometimes timecodes are not correclty sorted between both machines and rsyslog concentrator.

Any advise or new feature ?
Regards

Answer 1 · 2018-06-05T20:07:07.000Z

Hi,
I had the same problem with multiple squid instances logging to our syslog-ng server.

My fix is not perfect but get the job done

I use a regex to replace the unix time with the current unix time on syslog-ng

subst("^.{10}..{3}", "${UNIXTIME}.000", value("MESSAGE"));

I don't know if this is possible with rsyslog.

Good luck!

Answer 2 · 2019-04-27T07:49:42.000Z

This feature is now fully implemented in development code, you can give several log files or a single log file without taking care of timestamp ordering. It can also be used with multi-process (with -j option). A new release is coming.