DLF Schema for Proxy superservice This DLF file is adequate to represent most common informations about web proxy events. It has the same information as found in most proxy-like servers log files. This schema is adequate for proxy servers beyond web proxys servers. It can be used for socks and other types of connection-level proxies. The DLF schema was designed by studying the WebTrends Enhanced Log Format, squid log files and thinking about SOCKS type of server. The time at which the request was initiated. The IP address of the client. The hostname of the client. If the client was authenticated, this field should contains the authenticated username. The time taken by the connection. Result code for the cache TCP_MISS, TCP_HIT, etc. List is available on Squid page, and in squid_access2dlf(1). All DLF converter should map their native value to the squid's one which is very complete and exhaustive. HTTP result of the request. e.g. 200 or 404. The protocol of the proxied request: ftp, http, https, telnet, etc. The protocol used between the client and the proxy server. This is probably TCP, but can be UDP in some case (like SOCKS or ICP). The ip address of the destination. The hostname of the destination. In the case of web proxy, that will be the website Port of the destination used in IP session This field should only be defined in the case of web proxy requests. This should contains the HTTP method requested like GET or POST. This field should only be defined in the case of web proxy request. It should contains the URL requested on the remote server. The number of bytes transferred from proxy server to the client This field should only be defined for web proxy servers, it should contains the MIME type of the HTTP request's result (e.g. text/html or image/jpeg). This field contains the configuration rule's name that was used to accept or deny to request. The useragent used by the client. E.g. 'Mozilla/4.0 (compatible; MSIE 5.0; Win32)' or 'Outlook Express/5.0 (MSIE 5.0; Windows 98; DigExt)' Code qualifying the next two fields. (i.e. NONE, DIRECT, PARENT_HIT, etc.) All DLF converter should map their native value to the squid's one which is very complete and exhaustive. The IP address of the server which handled the request, i.e. destination or other cache The hostname of the server that handled the request and gave the result. Port on referring host used in IP session. This field contains either the value block or pass. It is used when access control is based on content filtering. If the proxy server is doing content analysis, this field should contains the category for the requested website. Level can be 1 or 2. 1 meaning "no no" categories. 2 meaning "family fun" categories. This was taken from the WELF specification. Like cat_site, but for the actual page. Like catlevel_site, but for the actual page.