Customizing the proxy.log file of a WebSphere Proxy Server or ODR

In a previous post I discussed how the HTTP access logs on a WebSphere application server can be customized. In this post I will analyze how to do that with the access logs of a WebSphere 8.5 proxy server or on-demand router (ODR).

The access logs for a proxy sever (resp. ODR) can be configured under "Proxy settings" (resp. "On Demand Router settings") in the admin console. They are enabled by default, and the location of the log file is ${SERVER_LOG_ROOT}/proxy.log. The file uses the standard NCSA format. That means that it misses two important pieces of information that one usually wants to have for an HTTP proxy server:

  • The response time.
  • The address (and port number) of the application server that handled the request.

With IBM HTTP Server, one would add that information to the access logs using the %D and %{WAS}e format strings in the LogFormat directive. The question is whether this can also be done with ODR.

It turns out that the format of the proxy.log file is not customizable. In fact, entries are written to the log file by an instance of com.ibm.ws.proxy.log.http.HttpProxyLogImpl and that instance is managed by com.ibm.ws.proxy.log.http.HttpLogFilter. One can see from the package name that these classes are specific to the HTTP proxy code in WebSphere; although the output format is similar, they don't reuse the code responsible for writing the HTTP access logs in WebSphere application server (i.e. com.ibm.ws.http.logging.impl.AccessLogger). That means that the access log customization feature introduced by PM46717 doesn't apply to proxy.log.

On the other hand, on a proxy server or ODR it is still possible to enable the standard access logs on the HTTP channel used by the proxy transport. In the admin console, these settings can be found under "Proxy server transports" or "On Demand Router transports" (and then HTTP_PROXY_CHAIN or HTTPS_PROXY_CHAIN depending on the protocol that is used). The format of that access log can then be specified using the accessLogFormat custom property. Unfortunately that doesn't give the expected result:

  • The response time values produced by %D are incorrect for clients that use persistent HTTP connections. As noted in my previous post, this is already broken in WAS, and it is not so surprising that it doesn't work in proxy server and ODR either. What is more surprising is that the feature is not broken in the same way: for a connection with keep-alive, the proxy server or ODR reports the time elapsed between the transmission of the previous response and the transmission of the current response, while WAS reports the time elapsed between the establishment of the persistent connection and the transmission of the current response.
  • %h no longer outputs the client IP address but the address of the application server that has handled the request. On the other hand, %a and %A both output the address of the host where the proxy server or ODR is running. This means that it is no longer possible to log the IP address of the client. In addition, there is no way to log the port number of the application server that handled the request.

Unfortunately the conclusion is that (as of version 8.5.0.2) it is not possible to configure a proxy server or ODR to produce custom access logs that include the response time and the address/port of the target application server. At least, that can't be achieved using out-of-the-box features available in WebSphere. There is however another option, namely to create a custom log filter as described in the WebSphere infocenter (Creating a custom filter and deploying it to a proxy server). That's a bit of an overkill if the goal is simply to customize the access logs, but it would also offer the interesting option to send the access logs directly to a centralized log management system such as logstash.