Streaming Squid Logs to GCP Logging / StackDriver

J5

I’m still using Squid over SWP in GCP as a forward proxy because…well….it’s much cheaper. The only real shortcoming/limitation has been around logging and reporting – I don’t have a 3rd party logging setup like Splunk or ELK stack, so it basically comes down to tail -f in raw logfiles (though I did at least push them to a centralized bucket via a 1-minute cron job).

Sending 3rd party application logs to GCP StackDriver is a relatively simple process, I just couldn’t fine a specific example for Squid.

If not done so already, install Ops Agent:

cd /tmp
wget https://dl.google.com/cloudagents/add-google-cloud-ops-agent-repo.sh
sudo bash ./add-google-cloud-ops-agent-repo.sh --also-install

And make sure the Service Account for the VM has these Roles:

  • logging.logWriter
  • monitoring.metricWriter

Next, I configured Squid to log in JSON format. This will allow searches based on log fields like special fields like Client IP address or URL, which is very useful. This was a 2-liner in squid.conf:

# Define Syntax for JSON Logging
logformat json { "client_ip": "%>a", "timestamp": "%{%FT%T%z}tg", "method": "%rm", "url": "%ru", "http_version": "HTTP/%rv", "response_code": %>Hs, "bytes": %<st, "user_agent": "%{User-Agent}>h", "status_code": "%Ss", "hier": "%Sh"}

# Log using JSON format
access_log /var/log/squid/access_json.log json

# Optional - disable /var/log/squid/access.log
access_log daemon:/dev/null

I chose a name ending in .log because the Debian package will automatically rotate all /var/log/squid/*.log files every day at 00:00:00 per /etc/logrotate.d/squid). I needed to ensure log rotation was occurring regularly to the disk didn’t get full.

To actually start sending the JSON logs to StackDriver add the following lines to the file
/etc/google-cloud-ops-agent/config.yaml

logging:
  processors:
    squid_json:
      type: parse_json
  receivers:
    squid_cache:
      type: files
      include_paths: [/var/log/squid/cache.log]
    squid:
      type: files
      include_paths: [/var/log/squid/access_json.log]
  service:
    pipelines:
      squid:
        receivers: [squid_cache]
      squid_proxy:
        receivers: [squid]
        processors: [squid_json]

This will also send the /var/log/squid/cache.log file, just not in JSON format. This log file only logs startup/shutdown and errors, so a regular text format just showing the message body was fine.

Restart the agent:

systemctl restart google-cloud-ops-agent

And the logs are now searchable

Leave a comment