Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Sarg package for pfsense

    Scheduled Pinned Locked Moved pfSense Packages
    467 Posts 99 Posters 509.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • marcellocM
      marcelloc
      last edited by

      @Donny:

      Have any news over SARG reports with full usernames instead of user name logins?

      No time to test yet.

      Did you tried to run sarg on console with ldap info? did it returned any error?

      Treinamentos de Elite: http://sys-squad.com

      Help a community developer! ;D

      1 Reply Last reply Reply Quote 0
      • DonnyD
        Donny
        last edited by

        @marcelloc:

        @Donny:

        Have any news over SARG reports with full usernames instead of user name logins?

        No time to test yet.

        Did you tried to run sarg on console with ldap info? did it returned any error?

        Ok, I will try

        Sarg detail from console. I could not find any returned  error.

        [2.0.1-RELEASE][admin@xxxx.nxxxter.dsns]/root(1): sarg
        SARG: Records in file: 2140, reading: 100.00%
        SARG: Successful report generated on /usr/local/www/sarg-reports/25Apr2012-25Apr 2012
        [2.0.1-RELEASE][admin@xxxx.nxxxter.dsns]/root(2): sarg -z
        SARG: TAG: access_log /var/squid/logs/access.log
        SARG: TAG: graphs yes
        SARG: TAG: output_dir /usr/local/www/sarg-reports
        SARG: TAG: anonymous_output_files no
        SARG: TAG: resolve_ip no
        SARG: TAG: user_ip no
        SARG: TAG: topuser_sort_field BYTES NORMAL
        SARG: TAG: user_sort_field BYTES NORMAL
        SARG: TAG: exclude_users /usr/local/etc/sarg/exclude_users.conf
        SARG: TAG: exclude_hosts /usr/local/etc/sarg/exclude_hosts.conf
        SARG: TAG: date_format e
        SARG: TAG: lastlog 0
        SARG: TAG: remove_temp_files yes
        SARG: TAG: index yes
        SARG: TAG: index_tree file
        SARG: TAG: overwrite_report yes
        SARG: TAG: use_comma yes
        SARG: TAG: exclude_codes /usr/local/etc/sarg/exclude_codes
        SARG: TAG: max_elapsed 0
        SARG: TAG: report_type topusers topsites sites_users users_sites date_time denied auth_failures site_user_time_date downloads
        SARG: TAG: usertab none
        SARG: TAG: LDAPHost 172.31.21.10
        SARG: TAG: LDAPBindDN cn=Administrator,cn=Users,dc=nxxxter,dc=dsns
        SARG: TAG: LDAPBindPW MyLdapPassWord
        SARG: TAG: LDAPBaseSearch dc=nxxxter,dc=dsns
        SARG: TAG: LDAPFilterSearch sAMAccountName=%s
        SARG: TAG: long_url no
        SARG: TAG: date_time_by bytes
        SARG: TAG: charset UTF-8
        SARG: TAG: privacy no
        SARG: TAG: bytes_in_sites_users_report no
        SARG: TAG: topuser_num 0
        SARG: TAG: dansguardian_conf
        SARG: TAG: show_sarg_info no
        SARG: TAG: show_sarg_logo no
        SARG: TAG: displayed_values bytes
        SARG: TAG: authfail_report_limit 0
        SARG: TAG: denied_report_limit 0
        SARG: TAG: siteusers_report_limit 0
        SARG: TAG: user_report_limit 0
        SARG: TAG: www_document_root /usr/local/www
        SARG: TAG: ntlm_user_format domainname+username
        SARG: TAG: realtime_refresh_time 0
        SARG: TAG: realtime_types GET,PUT,CONNECT
        SARG: TAG: realtime_unauthenticated_records show
        SARG: TAG: sorttable /sarg_sorttable.js
        SARG: TAG: hostalias /usr/local/etc/sarg/hostalias
        SARG: Records in file: 2140, reading: 100.00%
        SARG: (info) date=25/04/2012
        SARG: (info) period=25 Apr 2012
        SARG: (info) outdirname=/usr/local/www/sarg-reports/25Apr2012-25Apr2012
        SARG: (info) Dansguardian report not produced because no dansguardian configuration file was provided
        SARG: (info) No redirector logs provided to produce that kind of report
        SARG: (info) Downloaded files report not generated as it is empty
        SARG: (info) Denied report not produced because it is empty
        SARG: (info) Redirector report not generated because it is empty
        SARG: Successful report generated on /usr/local/www/sarg-reports/25Apr2012-25Apr2012
        [2.0.1-RELEASE][admin@xxxx.nxxxter.dsns]/root(3):
        
        [2.0.1-RELEASE][admin@xxxx.nxxxter.dsns]/root(9): sarg -x
        SARG: Init
        SARG: Loading configuration from /usr/local/etc/sarg/sarg.conf
        SARG: Loading exclude host file from: /usr/local/etc/sarg/exclude_hosts.conf
        SARG: Loading exclude file from: /usr/local/etc/sarg/exclude_users.conf
        SARG: Reading host alias file "/usr/local/etc/sarg/hostalias"
        SARG: List of host names to alias:
        SARG: Parameters:
        SARG:           Hostname or IP address (-a) =
        SARG:                    Useragent log (-b) =
        SARG:                     Exclude file (-c) = /usr/local/etc/sarg/exclude_hosts.conf
        SARG:                  Date from-until (-d) =
        SARG:    Email address to send reports (-e) =
        SARG:                      Config file (-f) = /usr/local/etc/sarg/sarg.conf
        SARG:                      Date format (-g) = Europe (dd/mm/yyyy)
        SARG:                        IP report (-i) = No
        SARG:                        Input log (-l) = /var/squid/logs/access.log
        SARG:               Resolve IP Address (-n) = No
        SARG:                       Output dir (-o) = /usr/local/www/sarg-reports/
        SARG: Use Ip Address instead of userid (-p) = No
        SARG:                    Accessed site (-s) =
        SARG:                             Time (-t) =
        SARG:                             User (-u) =
        SARG:                    Temporary dir (-w) = /tmp/sarg
        SARG:                   Debug messages (-x) = Yes
        SARG:                 Process messages (-z) = No
        SARG:  Previous reports to keep (--lastlog) = 0
        SARG:
        SARG: sarg version: 2.3.2 Nov-23-2011
        SARG: Reading access log file: /var/squid/logs/access.log
        SARG: Records in file: 61, reading: 100.00%
        SARG:    Records read: 61, written: 61, excluded: 0
        SARG: Squid log format
        SARG: Period: 26 Apr 2012
        SARG: pre-sorting files
        SARG: Making file: /tmp/sarg/noppy
        SARG: Sorting file: /tmp/sarg/noppy.utmp
        SARG: Making report: noppy
        SARG: Making index.html
        SARG: Successful report generated on /usr/local/www/sarg-reports/26Apr2012-26Apr2012
        SARG: Purging temporary file sarg-general
        SARG: End
        
        1 Reply Last reply Reply Quote 0
        • marcellocM
          marcelloc
          last edited by

          I saw no ldap info on sarg output.

          I'll check sarg compile options.

          att,
          Marcello Coutinho

          Treinamentos de Elite: http://sys-squad.com

          Help a community developer! ;D

          1 Reply Last reply Reply Quote 0
          • marcellocM
            marcelloc
            last edited by

            I've compiled latest sarg code,checked build output and found ldap info there

            
            checking ldap.h usability... yes
            checking ldap.h presence... yes
            checking for ldap.h... yes
            checking for ldap_init in -lldap... yes
            
            

            Can you try this new build on your system/lab?

            amd64
            http://e-sac.siteseguro.ws/packages/amd64/8/All/sarg-2.3.2_4.tbz

            i386
            http://e-sac.siteseguro.ws/packages/8/All/sarg-2.3.2_4.tbz

            On console/ssh:

            To list current sarg freebsd package use: pkg_info | grep -i sarg
            To delete sarg freebsd package use: pkg_delete sarg_version_you_found
            To install latest freebsd sarg package use: pkg_add -r http://above_url_with_correct_platform

            Also check if you have openldap-sasl-client freebsd package installed too.

            Treinamentos de Elite: http://sys-squad.com

            Help a community developer! ;D

            1 Reply Last reply Reply Quote 0
            • DonnyD
              Donny
              last edited by

              @marcelloc:

              I've compiled latest sarg code,checked build output and found ldap info there

              
              checking ldap.h usability... yes
              checking ldap.h presence... yes
              checking for ldap.h... yes
              checking for ldap_init in -lldap... yes
              
              

              Can you try this new build on your system/lab?

              amd64
              http://e-sac.siteseguro.ws/packages/amd64/8/All/sarg-2.3.2_4.tbz

              i386
              http://e-sac.siteseguro.ws/packages/8/All/sarg-2.3.2_4.tbz

              On console/ssh:

              To list current sarg freebsd package use: pkg_info | grep -i sarg
              To delete sarg freebsd package use: pkg_delete sarg_version_you_found
              To install latest freebsd sarg package use: pkg_add -r http://above_url_with_correct_platform

              Also check if you have openldap-sasl-client freebsd package installed too.

              Hello Marcelloc, I already done it a little bit and I will test both of i386 and AMD 64 with my lab system and I inform you within today. Just wake up. Thank u very much, Donny

              1 Reply Last reply Reply Quote 0
              • DonnyD
                Donny
                last edited by

                Hello Marcelloc

                I have installed new build. Here is info.

                [2.0.1-RELEASE][admin@xxxx.nxxxter.dsns]/root(9): pkg_info
                bsdinstaller-2.0.2011.1212 BSD Installer mega-package
                cyrus-sasl-2.1.25_1 RFC 2222 SASL (Simple Authentication and Security Layer)
                db41-4.1.25_4       The Berkeley DB package, revision 4.1
                freetype2-2.4.7     A free and portable TrueType font rendering engine
                gd-2.0.35_7,1       A graphics library for fast creation of images
                gettext-0.18.1.1    GNU gettext package
                grub-0.97_4         GRand Unified Bootloader
                jpeg-8_3            IJG's jpeg compression utilities
                libiconv-1.13.1_1   A character set conversion library
                openldap-sasl-client-2.4.26 Open source LDAP client implementation with SASL2 support
                perl-5.12.4_3       Practical Extraction and Report Language
                pkg-config-0.25_1   A utility to retrieve information about installed libraries
                png-1.4.8           Library for manipulating PNG images
                sarg-2.3.2_4        Squid log analyzer and HTML report generator
                squid-3.1.19        HTTP Caching Proxy
                [2.0.1-RELEASE][admin@xxxx.nxxxter.dsns]/root(10):
                

                Thank u

                1 Reply Last reply Reply Quote 0
                • marcellocM
                  marcelloc
                  last edited by

                  Can you see if there's ldap queries during sarg reports with this latest version?

                  Treinamentos de Elite: http://sys-squad.com

                  Help a community developer! ;D

                  1 Reply Last reply Reply Quote 0
                  • DonnyD
                    Donny
                    last edited by

                    @marcelloc:

                    Can you see if there's ldap queries during sarg reports with this latest version?

                    I only got this version> [2.0.1-RELEASE][admin@xxxx.nxxxter.dsns]/root(10): sarg version: 2.3.2 Nov-23-2011

                    For ldap queries,you mean that I have to check at access.log.

                    When I use ldap search the result is 0 success:

                    [2.0.1-RELEASE][admin@xxxx.nxbuter.dsns]/root(3): ldapsearch -x -h 172.31.21.10 -p 389 -s sub -D "cn=Administrator,cn=Users,dc=nxxxter,dc=dsns" -w "SargLdapPassWord" -b "dc=nxxxter,DC=dsns" "(sAMAccountName=%s)" cn
                    # extended LDIF
                    #
                    # LDAPv3
                    # base <dc=nxxxter,dc=dsns>with scope subtree
                    # filter: (sAMAccountName=%s)
                    # requesting: cn
                    #
                    
                    # search reference
                    ref: ldap://ForestDnsZones.nxxxter.dsns/DC=ForestDnsZones,DC=nxxxter,DC=dsns
                    
                    # search reference
                    ref: ldap://DomainDnsZones.nxxxter.dsns/DC=DomainDnsZones,DC=nxxxter,DC=dsns
                    
                    # search reference
                    ref: ldap://nxbuter.dsns/CN=Configuration,DC=nxxxter,DC=dsns
                    
                    # search result
                    search: 2
                    result: 0 Success
                    
                    # numResponses: 4
                    # numReferences: 3
                    [2.0.1-RELEASE][admin@xxxx.nxxxter.dsns]/root(4):</dc=nxxxter,dc=dsns> 
                    
                    1 Reply Last reply Reply Quote 0
                    • marcellocM
                      marcelloc
                      last edited by

                      @Donny:

                      For ldap queries,you mean that I have to check at access.log.

                      I mean on a second console/ssh, run tcpdump on lan interface port 389 or host 172.31.21.10 and see if when you run sarg, it tries to search ldap

                      Treinamentos de Elite: http://sys-squad.com

                      Help a community developer! ;D

                      1 Reply Last reply Reply Quote 0
                      • DonnyD
                        Donny
                        last edited by

                        @marcelloc:

                        @Donny:

                        For ldap queries,you mean that I have to check at access.log.

                        I mean on a second console/ssh, run tcpdump on lan interface port 389 or host 172.31.21.10 and see if when you run sarg, it tries to search ldap

                        !!!!! Nothing happen when I run tcpdump with this -ni, -vi, -vvi
                        [2.0.1-RELEASE][admin@xxxx.nxxxter.dsns]/root(10): tcpdump -vvi em1 tcp port 389
                        tcpdump: listening on em1, link-type EN10MB (Ethernet), capture size 96 bytes

                        but sometime work and sometime not

                        Do I have to edit sarg.conf with more option enable?

                        1 Reply Last reply Reply Quote 0
                        • marcellocM
                          marcelloc
                          last edited by

                          @Donny:

                          Do I have to edit sarg.conf with more option enable?

                          All ldap options are configured on gui, but of course you can check if there is something missing.

                          Treinamentos de Elite: http://sys-squad.com

                          Help a community developer! ;D

                          1 Reply Last reply Reply Quote 0
                          • DonnyD
                            Donny
                            last edited by

                            @marcelloc:

                            @Donny:

                            Do I have to edit sarg.conf with more option enable?

                            All ldap options are configured on gui, but of course you can check if there is something missing.

                            Hello Marcelloc,

                            I don't see any sarg on > pfsense > Status. How can I config SARG on gui?

                            I asked to edit sarg.conf because I just only enable some option on sarg.conf file and I think maybe some option is missing.

                            Thank u

                            1 Reply Last reply Reply Quote 0
                            • marcellocM
                              marcelloc
                              last edited by

                              @Donny:

                              I don't see any sarg on > pfsense > Status. How can I config SARG on gui?

                              status -> sarg reports????

                              try to reinstall package, the menu is there

                              Treinamentos de Elite: http://sys-squad.com

                              Help a community developer! ;D

                              1 Reply Last reply Reply Quote 0
                              • DonnyD
                                Donny
                                last edited by

                                @marcelloc:

                                @Donny:

                                I don't see any sarg on > pfsense > Status. How can I config SARG on gui?

                                status -> sarg reports????

                                try to reinstall package, the menu is there

                                you mean from this:

                                pkg_add -r http://e-sac.siteseguro.ws/packages/8/All/sarg-2.3.2_4.tbz

                                1 Reply Last reply Reply Quote 0
                                • marcellocM
                                  marcelloc
                                  last edited by

                                  No,

                                  system -> packages -> Available Packages  -> sarg

                                  Treinamentos de Elite: http://sys-squad.com

                                  Help a community developer! ;D

                                  1 Reply Last reply Reply Quote 0
                                  • DonnyD
                                    Donny
                                    last edited by

                                    @marcelloc:

                                    No,

                                    system -> packages -> Available Packages  -> sarg

                                    I understood now, form pfsense console, first just only delete SARGv.xxxx that it has installed before. After SARGv.xxxx deleted with this command  "pkg_delete sarg-x.x.x", SARG gui still remain on
                                    "Status > Sarg Reports". Then install sarg-2.3.2_4 from "pkg_add -r http://e-sac.siteseguro.ws/packages/8/All/sarg-2.3.2_4.tbz", that's it.
                                    Anyway SARG reports with full user name from LDAP still not work.

                                    Thank u

                                    1 Reply Last reply Reply Quote 0
                                    • DonnyD
                                      Donny
                                      last edited by

                                      Hello Marcello, I have some question I use sarg and squid proxy authentication with Ldap Windows 2008. When I use domain user name to login on Chrome or Firefox web browser, at system log I always get
                                      "DNS-rebind attack detected: xxxxter.dsns" . I always have this problem only I put internal DNS server IP address on System > General Setup> DNS Servers. I spend a lot of time to find out to solve this problem but never success. Is it possible to give me some suggestion where is this the problem coming from?

                                      Thank u

                                      Donny

                                      1 Reply Last reply Reply Quote 0
                                      • marcellocM
                                        marcelloc
                                        last edited by

                                        Somebody posted these day a workaround for this, try to search on forum for dns rebind ad.

                                        Treinamentos de Elite: http://sys-squad.com

                                        Help a community developer! ;D

                                        1 Reply Last reply Reply Quote 0
                                        • DonnyD
                                          Donny
                                          last edited by

                                          @marcelloc:

                                          Somebody posted these day a workaround for this, try to search on forum for dns rebind ad.

                                          No more ask again because I have 2 or 3 times posted.

                                          Thank u very much Marcelloc

                                          Donny

                                          1 Reply Last reply Reply Quote 0
                                          • J
                                            jikjik101
                                            last edited by

                                            Hi marcelloc,

                                            Great package. But how to manually delete the sarg reports?
                                            My pfsense got problem with full hard disk error and the largest directory is from the sarg reports.
                                            I forgot to use the rotate logs before.

                                            And what does Cache-in and Cache-out mean?

                                            Thanks in advance.

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.