8.2. Log formats

  1. HAProxy supports 5 log formats. Several fields are common between these formats
  2. and will be detailed in the following sections. A few of them may vary
  3. slightly with the configuration, due to indicators specific to certain
  4. options. The supported formats are as follows :
  5.  
  6.   - the default format, which is very basic and very rarely used. It only
  7.     provides very basic information about the incoming connection at the moment
  8.     it is accepted : source IP:port, destination IP:port, and frontend-name.
  9.     This mode will eventually disappear so it will not be described to great
  10.     extents.
  11.  
  12.   - the TCP format, which is more advanced. This format is enabled when "option
  13.     tcplog" is set on the frontend. HAProxy will then usually wait for the
  14.     connection to terminate before logging. This format provides much richer
  15.     information, such as timers, connection counts, queue size, etc... This
  16.     format is recommended for pure TCP proxies.
  17.  
  18.   - the HTTP format, which is the most advanced for HTTP proxying. This format
  19.     is enabled when "option httplog" is set on the frontend. It provides the
  20.     same information as the TCP format with some HTTP-specific fields such as
  21.     the request, the status code, and captures of headers and cookies. This
  22.     format is recommended for HTTP proxies.
  23.  
  24.   - the CLF HTTP format, which is equivalent to the HTTP format, but with the
  25.     fields arranged in the same order as the CLF format. In this mode, all
  26.     timers, captures, flags, etc... appear one per field after the end of the
  27.     common fields, in the same order they appear in the standard HTTP format.
  28.  
  29.   - the custom log format, allows you to make your own log line.
  30.  
  31. Next sections will go deeper into details for each of these formats. Format
  32. specification will be performed on a "field" basis. Unless stated otherwise, a
  33. field is a portion of text delimited by any number of spaces. Since syslog
  34. servers are susceptible of inserting fields at the beginning of a line, it is
  35. always assumed that the first field is the one containing the process name and
  36. identifier.
  37.  
  38. Note : Since log lines may be quite long, the log examples in sections below
  39.        might be broken into multiple lines. The example log lines will be
  40.        prefixed with 3 closing angle brackets ('>>>') and each time a log is
  41.        broken into multiple lines, each non-final line will end with a
  42.        backslash ('\') and the next line will start indented by two characters.

8.2.1. Default log format

  1. This format is used when no specific option is set. The log is emitted as soon
  2. as the connection is accepted. One should note that this currently is the only
  3. format which logs the request's destination IP and ports.

Example :

  1.     listen www
  2.         mode http
  3.         log global
  4.         server srv1 127.0.0.1:8000
  6. >>> Feb  6 12:12:09 localhost \
  7.       haproxy[14385]: Connect from 10.0.1.2:33312 to 10.0.3.31:8012 \
  8.       (www/HTTP)
  1.   Field   Format                                Extract from the example above
  2.       1   process_name '[' pid ']:'                            haproxy[14385]:
  3.       2   'Connect from'                                          Connect from
  4.       3   source_ip ':' source_port                             10.0.1.2:33312
  5.       4   'to'                                                              to
  6.       5   destination_ip ':' destination_port                   10.0.3.31:8012
  7.       6   '(' frontend_name '/' mode ')'                            (www/HTTP)
  8.  
  9. Detailed fields description :
  10.   - "source_ip" is the IP address of the client which initiated the connection.
  11.   - "source_port" is the TCP port of the client which initiated the connection.
  12.   - "destination_ip" is the IP address the client connected to.
  13.   - "destination_port" is the TCP port the client connected to.
  14.   - "frontend_name" is the name of the frontend (or listener) which received
  15.     and processed the connection.
  16.   - "mode is the mode the frontend is operating (TCP or HTTP).
  17.  
  18. In case of a UNIX socket, the source and destination addresses are marked as
  19. "unix:" and the ports reflect the internal ID of the socket which accepted the
  20. connection (the same ID as reported in the stats).
  21.  
  22. It is advised not to use this deprecated format for newer installations as it
  23. will eventually disappear.

8.2.2. TCP log format

  1. The TCP format is used when "option tcplog" is specified in the frontend, and
  2. is the recommended format for pure TCP proxies. It provides a lot of precious
  3. information for troubleshooting. Since this format includes timers and byte
  4. counts, the log is normally emitted at the end of the session. It can be
  5. emitted earlier if "option logasap" is specified, which makes sense in most
  6. environments with long sessions such as remote terminals. Sessions which match
  7. the "monitor" rules are never logged. It is also possible not to emit logs for
  8. sessions for which no data were exchanged between the client and the server, by
  9. specifying "option dontlognull" in the frontend. Successful connections will
  10. not be logged if "option dontlog-normal" is specified in the frontend. A few
  11. fields may slightly vary depending on some configuration options, those are
  12. marked with a star ('*') after the field name below.

Example :

  1.     frontend fnt
  2.         mode tcp
  3.         option tcplog
  4.         log global
  5.         default_backend bck
  7.     backend bck
  8.         server srv1 127.0.0.1:8000
  10. >>> Feb  6 12:12:56 localhost \
  11.       haproxy[14387]: 10.0.1.2:33313 [06/Feb/2009:12:12:51.443] fnt \
  12.       bck/srv1 0/0/5007 212 -- 0/0/0/0/3 0/0
  1.   Field   Format                                Extract from the example above
  2.       1   process_name '[' pid ']:'                            haproxy[14387]:
  3.       2   client_ip ':' client_port                             10.0.1.2:33313
  4.       3   '[' accept_date ']'                       [06/Feb/2009:12:12:51.443]
  5.       4   frontend_name                                                    fnt
  6.       5   backend_name '/' server_name                                bck/srv1
  7.       6   Tw '/' Tc '/' Tt*                                           0/0/5007
  8.       7   bytes_read*                                                      212
  9.       8   termination_state                                                 --
  10.       9   actconn '/' feconn '/' beconn '/' srv_conn '/' retries*    0/0/0/0/3
  11.      10   srv_queue '/' backend_queue                                      0/0
  12.  
  13. Detailed fields description :
  14.   - "client_ip" is the IP address of the client which initiated the TCP
  15.     connection to haproxy. If the connection was accepted on a UNIX socket
  16.     instead, the IP address would be replaced with the word "unix". Note that
  17.     when the connection is accepted on a socket configured with "accept-proxy"
  18.     and the PROXY protocol is correctly used, or with a "accept-netscaler-cip"
  19.     and the NetScaler Client IP insertion protocol is correctly used, then the
  20.     logs will reflect the forwarded connection's information.
  21.  
  22.   - "client_port" is the TCP port of the client which initiated the connection.
  23.     If the connection was accepted on a UNIX socket instead, the port would be
  24.     replaced with the ID of the accepting socket, which is also reported in the
  25.     stats interface.
  26.  
  27.   - "accept_date" is the exact date when the connection was received by haproxy
  28.     (which might be very slightly different from the date observed on the
  29.     network if there was some queuing in the system's backlog). This is usually
  30.     the same date which may appear in any upstream firewall's log. When used in
  31.     HTTP mode, the accept_date field will be reset to the first moment the
  32.     connection is ready to receive a new request (end of previous response for
  33.     HTTP/1, immediately after previous request for HTTP/2).
  34.  
  35.   - "frontend_name" is the name of the frontend (or listener) which received
  36.     and processed the connection.
  37.  
  38.   - "backend_name" is the name of the backend (or listener) which was selected
  39.     to manage the connection to the server. This will be the same as the
  40.     frontend if no switching rule has been applied, which is common for TCP
  41.     applications.
  42.  
  43.   - "server_name" is the name of the last server to which the connection was
  44.     sent, which might differ from the first one if there were connection errors
  45.     and a redispatch occurred. Note that this server belongs to the backend
  46.     which processed the request. If the connection was aborted before reaching
  47.     a server, "<NOSRV>" is indicated instead of a server name.
  48.  
  49.   - "Tw" is the total time in milliseconds spent waiting in the various queues.
  50.     It can be "-1" if the connection was aborted before reaching the queue.
  51.     See "Timers" below for more details.
  52.  
  53.   - "Tc" is the total time in milliseconds spent waiting for the connection to
  54.     establish to the final server, including retries. It can be "-1" if the
  55.     connection was aborted before a connection could be established. See
  56.     "Timers" below for more details.
  57.  
  58.   - "Tt" is the total time in milliseconds elapsed between the accept and the
  59.     last close. It covers all possible processing. There is one exception, if
  60.     "option logasap" was specified, then the time counting stops at the moment
  61.     the log is emitted. In this case, a '+' sign is prepended before the value,
  62.     indicating that the final one will be larger. See "Timers" below for more
  63.     details.
  64.  
  65.   - "bytes_read" is the total number of bytes transmitted from the server to
  66.     the client when the log is emitted. If "option logasap" is specified, the
  67.     this value will be prefixed with a '+' sign indicating that the final one
  68.     may be larger. Please note that this value is a 64-bit counter, so log
  69.     analysis tools must be able to handle it without overflowing.
  70.  
  71.   - "termination_state" is the condition the session was in when the session
  72.     ended. This indicates the session state, which side caused the end of
  73.     session to happen, and for what reason (timeout, error, ...). The normal
  74.     flags should be "--", indicating the session was closed by either end with
  75.     no data remaining in buffers. See below "Session state at disconnection"
  76.     for more details.
  77.  
  78.   - "actconn" is the total number of concurrent connections on the process when
  79.     the session was logged. It is useful to detect when some per-process system
  80.     limits have been reached. For instance, if actconn is close to 512 when
  81.     multiple connection errors occur, chances are high that the system limits
  82.     the process to use a maximum of 1024 file descriptors and that all of them
  83.     are used. See section 3 "Global parameters" to find how to tune the system.
  84.  
  85.   - "feconn" is the total number of concurrent connections on the frontend when
  86.     the session was logged. It is useful to estimate the amount of resource
  87.     required to sustain high loads, and to detect when the frontend's "maxconn"
  88.     has been reached. Most often when this value increases by huge jumps, it is
  89.     because there is congestion on the backend servers, but sometimes it can be
  90.     caused by a denial of service attack.
  91.  
  92.   - "beconn" is the total number of concurrent connections handled by the
  93.     backend when the session was logged. It includes the total number of
  94.     concurrent connections active on servers as well as the number of
  95.     connections pending in queues. It is useful to estimate the amount of
  96.     additional servers needed to support high loads for a given application.
  97.     Most often when this value increases by huge jumps, it is because there is
  98.     congestion on the backend servers, but sometimes it can be caused by a
  99.     denial of service attack.
  100.  
  101.   - "srv_conn" is the total number of concurrent connections still active on
  102.     the server when the session was logged. It can never exceed the server's
  103.     configured "maxconn" parameter. If this value is very often close or equal
  104.     to the server's "maxconn", it means that traffic regulation is involved a
  105.     lot, meaning that either the server's maxconn value is too low, or that
  106.     there aren't enough servers to process the load with an optimal response
  107.     time. When only one of the server's "srv_conn" is high, it usually means
  108.     that this server has some trouble causing the connections to take longer to
  109.     be processed than on other servers.
  110.  
  111.   - "retries" is the number of connection retries experienced by this session
  112.     when trying to connect to the server. It must normally be zero, unless a
  113.     server is being stopped at the same moment the connection was attempted.
  114.     Frequent retries generally indicate either a network problem between
  115.     haproxy and the server, or a misconfigured system backlog on the server
  116.     preventing new connections from being queued. This field may optionally be
  117.     prefixed with a '+' sign, indicating that the session has experienced a
  118.     redispatch after the maximal retry count has been reached on the initial
  119.     server. In this case, the server name appearing in the log is the one the
  120.     connection was redispatched to, and not the first one, though both may
  121.     sometimes be the same in case of hashing for instance. So as a general rule
  122.     of thumb, when a '+' is present in front of the retry count, this count
  123.     should not be attributed to the logged server.
  124.  
  125.   - "srv_queue" is the total number of requests which were processed before
  126.     this one in the server queue. It is zero when the request has not gone
  127.     through the server queue. It makes it possible to estimate the approximate
  128.     server's response time by dividing the time spent in queue by the number of
  129.     requests in the queue. It is worth noting that if a session experiences a
  130.     redispatch and passes through two server queues, their positions will be
  131.     cumulative. A request should not pass through both the server queue and the
  132.     backend queue unless a redispatch occurs.
  133.  
  134.   - "backend_queue" is the total number of requests which were processed before
  135.     this one in the backend's global queue. It is zero when the request has not
  136.     gone through the global queue. It makes it possible to estimate the average
  137.     queue length, which easily translates into a number of missing servers when
  138.     divided by a server's "maxconn" parameter. It is worth noting that if a
  139.     session experiences a redispatch, it may pass twice in the backend's queue,
  140.     and then both positions will be cumulative. A request should not pass
  141.     through both the server queue and the backend queue unless a redispatch
  142.     occurs.

8.2.3. HTTP log format

  1. The HTTP format is the most complete and the best suited for HTTP proxies. It
  2. is enabled by when "option httplog" is specified in the frontend. It provides
  3. the same level of information as the TCP format with additional features which
  4. are specific to the HTTP protocol. Just like the TCP format, the log is usually
  5. emitted at the end of the session, unless "option logasap" is specified, which
  6. generally only makes sense for download sites. A session which matches the
  7. "monitor" rules will never logged. It is also possible not to log sessions for
  8. which no data were sent by the client by specifying "option dontlognull" in the
  9. frontend. Successful connections will not be logged if "option dontlog-normal"
  10. is specified in the frontend.
  11.  
  12. Most fields are shared with the TCP log, some being different. A few fields may
  13. slightly vary depending on some configuration options. Those ones are marked
  14. with a star ('*') after the field name below.

Example :

  1.     frontend http-in
  2.         mode http
  3.         option httplog
  4.         log global
  5.         default_backend bck
  7.     backend static
  8.         server srv1 127.0.0.1:8000
  10. >>> Feb  6 12:14:14 localhost \
  11.       haproxy[14389]: 10.0.1.2:33317 [06/Feb/2009:12:14:14.655] http-in \
  12.       static/srv1 10/0/30/69/109 200 2750 - - ---- 1/1/1/1/0 0/0 {1wt.eu} \
  13.       {} "GET /index.html HTTP/1.1"
  1.   Field   Format                                Extract from the example above
  2.       1   process_name '[' pid ']:'                            haproxy[14389]:
  3.       2   client_ip ':' client_port                             10.0.1.2:33317
  4.       3   '[' request_date ']'                      [06/Feb/2009:12:14:14.655]
  5.       4   frontend_name                                                http-in
  6.       5   backend_name '/' server_name                             static/srv1
  7.       6   TR '/' Tw '/' Tc '/' Tr '/' Ta*                       10/0/30/69/109
  8.       7   status_code                                                      200
  9.       8   bytes_read*                                                     2750
  10.       9   captured_request_cookie                                            -
  11.      10   captured_response_cookie                                           -
  12.      11   termination_state                                               ----
  13.      12   actconn '/' feconn '/' beconn '/' srv_conn '/' retries*    1/1/1/1/0
  14.      13   srv_queue '/' backend_queue                                      0/0
  15.      14   '{' captured_request_headers* '}'                   {haproxy.1wt.eu}
  16.      15   '{' captured_response_headers* '}'                                {}
  17.      16   '"' http_request '"'                      "GET /index.html HTTP/1.1"
  18.  
  19. Detailed fields description :
  20.   - "client_ip" is the IP address of the client which initiated the TCP
  21.     connection to haproxy. If the connection was accepted on a UNIX socket
  22.     instead, the IP address would be replaced with the word "unix". Note that
  23.     when the connection is accepted on a socket configured with "accept-proxy"
  24.     and the PROXY protocol is correctly used, or with a "accept-netscaler-cip"
  25.     and the NetScaler Client IP insertion protocol is correctly used, then the
  26.     logs will reflect the forwarded connection's information.
  27.  
  28.   - "client_port" is the TCP port of the client which initiated the connection.
  29.     If the connection was accepted on a UNIX socket instead, the port would be
  30.     replaced with the ID of the accepting socket, which is also reported in the
  31.     stats interface.
  32.  
  33.   - "request_date" is the exact date when the first byte of the HTTP request
  34.     was received by haproxy (log field %tr).
  35.  
  36.   - "frontend_name" is the name of the frontend (or listener) which received
  37.     and processed the connection.
  38.  
  39.   - "backend_name" is the name of the backend (or listener) which was selected
  40.     to manage the connection to the server. This will be the same as the
  41.     frontend if no switching rule has been applied.
  42.  
  43.   - "server_name" is the name of the last server to which the connection was
  44.     sent, which might differ from the first one if there were connection errors
  45.     and a redispatch occurred. Note that this server belongs to the backend
  46.     which processed the request. If the request was aborted before reaching a
  47.     server, "<NOSRV>" is indicated instead of a server name. If the request was
  48.     intercepted by the stats subsystem, "<STATS>" is indicated instead.
  49.  
  50.   - "TR" is the total time in milliseconds spent waiting for a full HTTP
  51.     request from the client (not counting body) after the first byte was
  52.     received. It can be "-1" if the connection was aborted before a complete
  53.     request could be received or a bad request was received. It should
  54.     always be very small because a request generally fits in one single packet.
  55.     Large times here generally indicate network issues between the client and
  56.     haproxy or requests being typed by hand. See section 8.4 "Timing Events"
  57.     for more details.
  58.  
  59.   - "Tw" is the total time in milliseconds spent waiting in the various queues.
  60.     It can be "-1" if the connection was aborted before reaching the queue.
  61.     See section 8.4 "Timing Events" for more details.
  62.  
  63.   - "Tc" is the total time in milliseconds spent waiting for the connection to
  64.     establish to the final server, including retries. It can be "-1" if the
  65.     request was aborted before a connection could be established. See section
  66.     8.4 "Timing Events" for more details.
  67.  
  68.   - "Tr" is the total time in milliseconds spent waiting for the server to send
  69.     a full HTTP response, not counting data. It can be "-1" if the request was
  70.     aborted before a complete response could be received. It generally matches
  71.     the server's processing time for the request, though it may be altered by
  72.     the amount of data sent by the client to the server. Large times here on
  73.     "GET" requests generally indicate an overloaded server. See section 8.4
  74.     "Timing Events" for more details.
  75.  
  76.   - "Ta" is the time the request remained active in haproxy, which is the total
  77.     time in milliseconds elapsed between the first byte of the request was
  78.     received and the last byte of response was sent. It covers all possible
  79.     processing except the handshake (see Th) and idle time (see Ti). There is
  80.     one exception, if "option logasap" was specified, then the time counting
  81.     stops at the moment the log is emitted. In this case, a '+' sign is
  82.     prepended before the value, indicating that the final one will be larger.
  83.     See section 8.4 "Timing Events" for more details.
  84.  
  85.   - "status_code" is the HTTP status code returned to the client. This status
  86.     is generally set by the server, but it might also be set by haproxy when
  87.     the server cannot be reached or when its response is blocked by haproxy.
  88.  
  89.   - "bytes_read" is the total number of bytes transmitted to the client when
  90.     the log is emitted. This does include HTTP headers. If "option logasap" is
  91.     specified, this value will be prefixed with a '+' sign indicating that
  92.     the final one may be larger. Please note that this value is a 64-bit
  93.     counter, so log analysis tools must be able to handle it without
  94.     overflowing.
  95.  
  96.   - "captured_request_cookie" is an optional "name=value" entry indicating that
  97.     the client had this cookie in the request. The cookie name and its maximum
  98.     length are defined by the "capture cookie" statement in the frontend
  99.     configuration. The field is a single dash ('-') when the option is not
  100.     set. Only one cookie may be captured, it is generally used to track session
  101.     ID exchanges between a client and a server to detect session crossing
  102.     between clients due to application bugs. For more details, please consult
  103.     the section "Capturing HTTP headers and cookies" below.
  104.  
  105.   - "captured_response_cookie" is an optional "name=value" entry indicating
  106.     that the server has returned a cookie with its response. The cookie name
  107.     and its maximum length are defined by the "capture cookie" statement in the
  108.     frontend configuration. The field is a single dash ('-') when the option is
  109.     not set. Only one cookie may be captured, it is generally used to track
  110.     session ID exchanges between a client and a server to detect session
  111.     crossing between clients due to application bugs. For more details, please
  112.     consult the section "Capturing HTTP headers and cookies" below.
  113.  
  114.   - "termination_state" is the condition the session was in when the session
  115.     ended. This indicates the session state, which side caused the end of
  116.     session to happen, for what reason (timeout, error, ...), just like in TCP
  117.     logs, and information about persistence operations on cookies in the last
  118.     two characters. The normal flags should begin with "--", indicating the
  119.     session was closed by either end with no data remaining in buffers. See
  120.     below "Session state at disconnection" for more details.
  121.  
  122.   - "actconn" is the total number of concurrent connections on the process when
  123.     the session was logged. It is useful to detect when some per-process system
  124.     limits have been reached. For instance, if actconn is close to 512 or 1024
  125.     when multiple connection errors occur, chances are high that the system
  126.     limits the process to use a maximum of 1024 file descriptors and that all
  127.     of them are used. See section 3 "Global parameters" to find how to tune the
  128.     system.
  129.  
  130.   - "feconn" is the total number of concurrent connections on the frontend when
  131.     the session was logged. It is useful to estimate the amount of resource
  132.     required to sustain high loads, and to detect when the frontend's "maxconn"
  133.     has been reached. Most often when this value increases by huge jumps, it is
  134.     because there is congestion on the backend servers, but sometimes it can be
  135.     caused by a denial of service attack.
  136.  
  137.   - "beconn" is the total number of concurrent connections handled by the
  138.     backend when the session was logged. It includes the total number of
  139.     concurrent connections active on servers as well as the number of
  140.     connections pending in queues. It is useful to estimate the amount of
  141.     additional servers needed to support high loads for a given application.
  142.     Most often when this value increases by huge jumps, it is because there is
  143.     congestion on the backend servers, but sometimes it can be caused by a
  144.     denial of service attack.
  145.  
  146.   - "srv_conn" is the total number of concurrent connections still active on
  147.     the server when the session was logged. It can never exceed the server's
  148.     configured "maxconn" parameter. If this value is very often close or equal
  149.     to the server's "maxconn", it means that traffic regulation is involved a
  150.     lot, meaning that either the server's maxconn value is too low, or that
  151.     there aren't enough servers to process the load with an optimal response
  152.     time. When only one of the server's "srv_conn" is high, it usually means
  153.     that this server has some trouble causing the requests to take longer to be
  154.     processed than on other servers.
  155.  
  156.   - "retries" is the number of connection retries experienced by this session
  157.     when trying to connect to the server. It must normally be zero, unless a
  158.     server is being stopped at the same moment the connection was attempted.
  159.     Frequent retries generally indicate either a network problem between
  160.     haproxy and the server, or a misconfigured system backlog on the server
  161.     preventing new connections from being queued. This field may optionally be
  162.     prefixed with a '+' sign, indicating that the session has experienced a
  163.     redispatch after the maximal retry count has been reached on the initial
  164.     server. In this case, the server name appearing in the log is the one the
  165.     connection was redispatched to, and not the first one, though both may
  166.     sometimes be the same in case of hashing for instance. So as a general rule
  167.     of thumb, when a '+' is present in front of the retry count, this count
  168.     should not be attributed to the logged server.
  169.  
  170.   - "srv_queue" is the total number of requests which were processed before
  171.     this one in the server queue. It is zero when the request has not gone
  172.     through the server queue. It makes it possible to estimate the approximate
  173.     server's response time by dividing the time spent in queue by the number of
  174.     requests in the queue. It is worth noting that if a session experiences a
  175.     redispatch and passes through two server queues, their positions will be
  176.     cumulative. A request should not pass through both the server queue and the
  177.     backend queue unless a redispatch occurs.
  178.  
  179.   - "backend_queue" is the total number of requests which were processed before
  180.     this one in the backend's global queue. It is zero when the request has not
  181.     gone through the global queue. It makes it possible to estimate the average
  182.     queue length, which easily translates into a number of missing servers when
  183.     divided by a server's "maxconn" parameter. It is worth noting that if a
  184.     session experiences a redispatch, it may pass twice in the backend's queue,
  185.     and then both positions will be cumulative. A request should not pass
  186.     through both the server queue and the backend queue unless a redispatch
  187.     occurs.
  188.  
  189.   - "captured_request_headers" is a list of headers captured in the request due
  190.     to the presence of the "capture request header" statement in the frontend.
  191.     Multiple headers can be captured, they will be delimited by a vertical bar
  192.     ('|'). When no capture is enabled, the braces do not appear, causing a
  193.     shift of remaining fields. It is important to note that this field may
  194.     contain spaces, and that using it requires a smarter log parser than when
  195.     it's not used. Please consult the section "Capturing HTTP headers and
  196.     cookies" below for more details.
  197.  
  198.   - "captured_response_headers" is a list of headers captured in the response
  199.     due to the presence of the "capture response header" statement in the
  200.     frontend. Multiple headers can be captured, they will be delimited by a
  201.     vertical bar ('|'). When no capture is enabled, the braces do not appear,
  202.     causing a shift of remaining fields. It is important to note that this
  203.     field may contain spaces, and that using it requires a smarter log parser
  204.     than when it's not used. Please consult the section "Capturing HTTP headers
  205.     and cookies" below for more details.
  206.  
  207.   - "http_request" is the complete HTTP request line, including the method,
  208.     request and HTTP version string. Non-printable characters are encoded (see
  209.     below the section "Non-printable characters"). This is always the last
  210.     field, and it is always delimited by quotes and is the only one which can
  211.     contain quotes. If new fields are added to the log format, they will be
  212.     added before this field. This field might be truncated if the request is
  213.     huge and does not fit in the standard syslog buffer (1024 characters). This
  214.     is the reason why this field must always remain the last one.

8.2.4. Custom log format

  1. The directive log-format allows you to customize the logs in http mode and tcp
  2. mode. It takes a string as argument.
  3.  
  4. HAProxy understands some log format variables. % precedes log format variables.
  5. Variables can take arguments using braces ('{}'), and multiple arguments are
  6. separated by commas within the braces. Flags may be added or removed by
  7. prefixing them with a '+' or '-' sign.
  8.  
  9. Special variable "%o" may be used to propagate its flags to all other
  10. variables on the same format string. This is particularly handy with quoted
  11. ("Q") and escaped ("E") string formats.
  12.  
  13. If a variable is named between square brackets ('[' .. ']') then it is used
  14. as a sample expression rule (see section 7.3). This it useful to add some
  15. less common information such as the client's SSL certificate's DN, or to log
  16. the key that would be used to store an entry into a stick table.
  17.  
  18. Note: spaces must be escaped. A space character is considered as a separator.
  19. In order to emit a verbatim '%', it must be preceded by another '%' resulting
  20. in '%%'. HAProxy will automatically merge consecutive separators.
  21.  
  22. Note: when using the RFC5424 syslog message format, the characters '"',
  23. '\' and ']' inside PARAM-VALUE should be escaped with '\' as prefix (see
  24. https://tools.ietf.org/html/rfc5424#section-6.3.3 for more details). In
  25. such cases, the use of the flag "E" should be considered.
  26.  
  27. Flags are :
  28.   * Q: quote a string
  29.   * X: hexadecimal representation (IPs, Ports, %Ts, %rt, %pid)
  30.   * E: escape characters '"', '\' and ']' in a string with '\' as prefix
  31.        (intended purpose is for the RFC5424 structured-data log formats)

Example:

  1. log-format %T\ %t\ Some\ Text
  2. log-format %{+Q}o\ %t\ %s\ %{-Q}r
  4. log-format-sd %{+Q,+E}o\ [exampleSDID@1234\ header=%[capture.req.hdr(0)]]
  1. At the moment, the default HTTP format is defined this way :
  2.  
  3.     log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC \
  4.                 %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r"
  5.  
  6. the default CLF format is defined this way :
  7.  
  8.     log-format "%{+Q}o %{-Q}ci - - [%trg] %r %ST %B \"\" \"\" %cp \
  9.                 %ms %ft %b %s %TR %Tw %Tc %Tr %Ta %tsc %ac %fc \
  10.                 %bc %sc %rc %sq %bq %CC %CS %hrl %hsl"
  11.  
  12. and the default TCP format is defined this way :
  13.  
  14.     log-format "%ci:%cp [%t] %ft %b/%s %Tw/%Tc/%Tt %B %ts \
  15.                 %ac/%fc/%bc/%sc/%rc %sq/%bq"
  16.  
  17. Please refer to the table below for currently defined variables :
  18.  
  19.   +---+------+-----------------------------------------------+-------------+
  20.   | R | var  | field name (8.2.2 and 8.2.3 for description)  | type        |
  21.   +---+------+-----------------------------------------------+-------------+
  22.   |   | %o   | special variable, apply flags on all next var |             |
  23.   +---+------+-----------------------------------------------+-------------+
  24.   |   | %B   | bytes_read           (from server to client)  | numeric     |
  25.   | H | %CC  | captured_request_cookie                       | string      |
  26.   | H | %CS  | captured_response_cookie                      | string      |
  27.   |   | %H   | hostname                                      | string      |
  28.   | H | %HM  | HTTP method (ex: POST)                        | string      |
  29.   | H | %HP  | HTTP request URI without query string (path)  | string      |
  30.   | H | %HQ  | HTTP request URI query string (ex: ?bar=baz)  | string      |
  31.   | H | %HU  | HTTP request URI (ex: /foo?bar=baz)           | string      |
  32.   | H | %HV  | HTTP version (ex: HTTP/1.0)                   | string      |
  33.   |   | %ID  | unique-id                                     | string      |
  34.   |   | %ST  | status_code                                   | numeric     |
  35.   |   | %T   | gmt_date_time                                 | date        |
  36.   |   | %Ta  | Active time of the request (from TR to end)   | numeric     |
  37.   |   | %Tc  | Tc                                            | numeric     |
  38.   |   | %Td  | Td = Tt - (Tq + Tw + Tc + Tr)                 | numeric     |
  39.   |   | %Tl  | local_date_time                               | date        |
  40.   |   | %Th  | connection handshake time (SSL, PROXY proto)  | numeric     |
  41.   | H | %Ti  | idle time before the HTTP request             | numeric     |
  42.   | H | %Tq  | Th + Ti + TR                                  | numeric     |
  43.   | H | %TR  | time to receive the full request from 1st byte| numeric     |
  44.   | H | %Tr  | Tr (response time)                            | numeric     |
  45.   |   | %Ts  | timestamp                                     | numeric     |
  46.   |   | %Tt  | Tt                                            | numeric     |
  47.   |   | %Tw  | Tw                                            | numeric     |
  48.   |   | %U   | bytes_uploaded       (from client to server)  | numeric     |
  49.   |   | %ac  | actconn                                       | numeric     |
  50.   |   | %b   | backend_name                                  | string      |
  51.   |   | %bc  | beconn      (backend concurrent connections)  | numeric     |
  52.   |   | %bi  | backend_source_ip       (connecting address)  | IP          |
  53.   |   | %bp  | backend_source_port     (connecting address)  | numeric     |
  54.   |   | %bq  | backend_queue                                 | numeric     |
  55.   |   | %ci  | client_ip                 (accepted address)  | IP          |
  56.   |   | %cp  | client_port               (accepted address)  | numeric     |
  57.   |   | %f   | frontend_name                                 | string      |
  58.   |   | %fc  | feconn     (frontend concurrent connections)  | numeric     |
  59.   |   | %fi  | frontend_ip              (accepting address)  | IP          |
  60.   |   | %fp  | frontend_port            (accepting address)  | numeric     |
  61.   |   | %ft  | frontend_name_transport ('~' suffix for SSL)  | string      |
  62.   |   | %lc  | frontend_log_counter                          | numeric     |
  63.   |   | %hr  | captured_request_headers default style        | string      |
  64.   |   | %hrl | captured_request_headers CLF style            | string list |
  65.   |   | %hs  | captured_response_headers default style       | string      |
  66.   |   | %hsl | captured_response_headers CLF style           | string list |
  67.   |   | %ms  | accept date milliseconds (left-padded with 0) | numeric     |
  68.   |   | %pid | PID                                           | numeric     |
  69.   | H | %r   | http_request                                  | string      |
  70.   |   | %rc  | retries                                       | numeric     |
  71.   |   | %rt  | request_counter (HTTP req or TCP session)     | numeric     |
  72.   |   | %s   | server_name                                   | string      |
  73.   |   | %sc  | srv_conn     (server concurrent connections)  | numeric     |
  74.   |   | %si  | server_IP                   (target address)  | IP          |
  75.   |   | %sp  | server_port                 (target address)  | numeric     |
  76.   |   | %sq  | srv_queue                                     | numeric     |
  77.   | S | %sslc| ssl_ciphers (ex: AES-SHA)                     | string      |
  78.   | S | %sslv| ssl_version (ex: TLSv1)                       | string      |
  79.   |   | %t   | date_time      (with millisecond resolution)  | date        |
  80.   | H | %tr  | date_time of HTTP request                     | date        |
  81.   | H | %trg | gmt_date_time of start of HTTP request        | date        |
  82.   | H | %trl | local_date_time of start of HTTP request      | date        |
  83.   |   | %ts  | termination_state                             | string      |
  84.   | H | %tsc | termination_state with cookie status          | string      |
  85.   +---+------+-----------------------------------------------+-------------+
  86.  
  87.     R = Restrictions : H = mode http only ; S = SSL only

8.2.5. Error log format

  1. When an incoming connection fails due to an SSL handshake or an invalid PROXY
  2. protocol header, haproxy will log the event using a shorter, fixed line format.
  3. By default, logs are emitted at the LOG_INFO level, unless the option
  4. "log-separate-errors" is set in the backend, in which case the LOG_ERR level
  5. will be used. Connections on which no data are exchanged (e.g. probes) are not
  6. logged if the "dontlognull" option is set.
  7.  
  8. The format looks like this :
  9.  
  10.     >>> Dec  3 18:27:14 localhost \
  11.           haproxy[6103]: 127.0.0.1:56059 [03/Dec/2012:17:35:10.380] frt/f1: \
  12.           Connection error during SSL handshake
  13.  
  14.   Field   Format                                Extract from the example above
  15.       1   process_name '[' pid ']:'                             haproxy[6103]:
  16.       2   client_ip ':' client_port                            127.0.0.1:56059
  17.       3   '[' accept_date ']'                       [03/Dec/2012:17:35:10.380]
  18.       4   frontend_name "/" bind_name ":"                              frt/f1:
  19.       5   message                        Connection error during SSL handshake
  20.  
  21. These fields just provide minimal information to help debugging connection
  22. failures.