Sarg package for pfsense

Donny

@marcelloc:

@Donny:

For ldap queries,you mean that I have to check at access.log.

I mean on a second console/ssh, run tcpdump on lan interface port 389 or host 172.31.21.10 and see if when you run sarg, it tries to search ldap

!!!!! Nothing happen when I run tcpdump with this -ni, -vi, -vvi
[2.0.1-RELEASE][admin@xxxx.nxxxter.dsns]/root(10): tcpdump -vvi em1 tcp port 389
tcpdump: listening on em1, link-type EN10MB (Ethernet), capture size 96 bytes

but sometime work and sometime not

Do I have to edit sarg.conf with more option enable?

marcelloc

@Donny:

Do I have to edit sarg.conf with more option enable?

All ldap options are configured on gui, but of course you can check if there is something missing.

Donny

@marcelloc:

@Donny:

Do I have to edit sarg.conf with more option enable?

All ldap options are configured on gui, but of course you can check if there is something missing.

Hello Marcelloc,

I don't see any sarg on > pfsense > Status. How can I config SARG on gui?

I asked to edit sarg.conf because I just only enable some option on sarg.conf file and I think maybe some option is missing.

Thank u

marcelloc

@Donny:

I don't see any sarg on > pfsense > Status. How can I config SARG on gui?

status -> sarg reports????

try to reinstall package, the menu is there

Donny

@marcelloc:

@Donny:

I don't see any sarg on > pfsense > Status. How can I config SARG on gui?

status -> sarg reports????

try to reinstall package, the menu is there

you mean from this:

pkg_add -r http://e-sac.siteseguro.ws/packages/8/All/sarg-2.3.2_4.tbz

marcelloc

No,

system -> packages -> Available Packages  -> sarg

Donny

@marcelloc:

No,

system -> packages -> Available Packages  -> sarg

I understood now, form pfsense console, first just only delete SARGv.xxxx that it has installed before. After SARGv.xxxx deleted with this command  "pkg_delete sarg-x.x.x", SARG gui still remain on
"Status > Sarg Reports". Then install sarg-2.3.2_4 from "pkg_add -r http://e-sac.siteseguro.ws/packages/8/All/sarg-2.3.2_4.tbz", that's it.
Anyway SARG reports with full user name from LDAP still not work.

Thank u

Donny

Hello Marcello, I have some question I use sarg and squid proxy authentication with Ldap Windows 2008. When I use domain user name to login on Chrome or Firefox web browser, at system log I always get
"DNS-rebind attack detected: xxxxter.dsns" . I always have this problem only I put internal DNS server IP address on System > General Setup> DNS Servers. I spend a lot of time to find out to solve this problem but never success. Is it possible to give me some suggestion where is this the problem coming from?

Thank u

Donny

marcelloc

Somebody posted these day a workaround for this, try to search on forum for dns rebind ad.

Donny

@marcelloc:

Somebody posted these day a workaround for this, try to search on forum for dns rebind ad.

No more ask again because I have 2 or 3 times posted.

Thank u very much Marcelloc

Donny

jikjik101

Hi marcelloc,

Great package. But how to manually delete the sarg reports?
My pfsense got problem with full hard disk error and the largest directory is from the sarg reports.
I forgot to use the rotate logs before.

And what does Cache-in and Cache-out mean?

Thanks in advance.

marcelloc

@jikjik101:

Hi marcelloc,

Great package. But how to manually delete the sarg reports?
My pfsense got problem with full hard disk error and the largest directory is from the sarg reports.
I forgot to use the rotate logs before.

Just delete reports on /usr/local/www/sarg-reports using rm on console/ssh.

marcelloc

Hi all,

Just published version 0.4.2 with fixes on squidguard log rotate and a faster boot startup process.

att,
Marcello Coutinho

elemay

here it doesn't show realtime logs since latest upgrade.

anyone else with this problem?

miodzicho

Cannot generate anything at all.

Package has been removed, re-installed, directory deleted (under www), recreated, given write rights and still :

sarg -x
SARG: Init
SARG: Loading configuration from /usr/local/etc/sarg/sarg.conf
SARG: Loading exclude host file from: /usr/local/etc/sarg/exclude_hosts.conf
SARG: Loading exclude file from: /usr/local/etc/sarg/exclude_users.conf
SARG: Reading host alias file "/usr/local/etc/sarg/hostalias"
SARG: List of host names to alias:
SARG: Parameters:
SARG:          Hostname or IP address (-a) =
SARG:                    Useragent log (-b) =
SARG:                    Exclude file (-c) = /usr/local/etc/sarg/exclude_hosts.conf
SARG:                  Date from-until (-d) =
SARG:    Email address to send reports (-e) =
SARG:                      Config file (-f) = /usr/local/etc/sarg/sarg.conf
SARG:                      Date format (-g) = Europe (dd/mm/yyyy)
SARG:                        IP report (-i) = No
SARG:                        Input log (-l) = /var/squid/logs/access.log
SARG:              Resolve IP Address (-n) = No
SARG:                      Output dir (-o) = /usr/local/www/sarg-reports/
SARG: Use Ip Address instead of userid (-p) = No
SARG:                    Accessed site (-s) =
SARG:                            Time (-t) =
SARG:                            User (-u) =
SARG:                    Temporary dir (-w) = /tmp/sarg
SARG:                  Debug messages (-x) = Yes
SARG:                Process messages (-z) = No
SARG:  Previous reports to keep (–lastlog) = 0
SARG:
SARG: sarg version: 2.3.2 Nov-23-2011
SARG: Reading access log file: /var/squid/logs/access.log
SARG: Records in file: 344851, reading: 100.00%
SARG:    Records read: 344851, written: 344691, excluded: 0
SARG: Squid log format
SARG: Period: 06 Apr 2012-07 May 2012
SARG: pre-sorting files
SARG: File /usr/local/www/sarg-reports/2012/04-05/06-07 already exists, moved to /usr/local/www/sarg-reports/2012/04-05/06-07.2
SARG: cannot open /usr/local/www/sarg-reports/2012/04-05/06-07/sarg-date for writing
SARG:: No such file or directory

sarg
SARG: Records in file: 344851, reading: 100.00%
SARG: Cannot delete /usr/local/www/sarg-reports/2012/04-05/06-07/d192_168_20_4.html - No such file or directory

marcelloc

@miodzicho:

SARG: cannot open /usr/local/www/sarg-reports/2012/04-05/06-07/sarg-date for writing
SARG:: No such file or directory
SARG: Records in file: 344851, reading: 100.00%
SARG: Cannot delete /usr/local/www/sarg-reports/2012/04-05/06-07/d192_168_20_4.html - No such file or directory

You have permission problems on your install, clean up(not remove) /usr/local/www/sarg-reports and try to run again.

miodzicho

@marcelloc:

@miodzicho:

SARG: cannot open /usr/local/www/sarg-reports/2012/04-05/06-07/sarg-date for writing
SARG:: No such file or directory
SARG: Records in file: 344851, reading: 100.00%
SARG: Cannot delete /usr/local/www/sarg-reports/2012/04-05/06-07/d192_168_20_4.html - No such file or directory

You have permission problems on your install, clean up(not remove) /usr/local/www/sarg-reports and try to run again.

Hi Marcelloc

What do you mean by clean ? rm -rf ?

marcelloc

@miodzicho:

What do you mean by clean ? rm -rf ?

could be a rm -rf /usr/local/www/sarg-reports/*

Please be carefull with rm.

miodzicho

@marcelloc:

@miodzicho:

What do you mean by clean ? rm -rf ?

could be a rm -rf /usr/local/www/sarg-reports/*

Please be carefull with rm.

Of course I'm :)

Here are results, negative I'm afraid

rm -rf /usr/local/www/sarg-reports/*
[2.0.1-RELEASE][root@xxx]/root(5): ls /usr/local/www/sarg-reports
[2.0.1-RELEASE][root@xxx]/root(6): sarg
SARG: Records in file: 344852, reading: 100.00%
SARG: Cannot delete /usr/local/www/sarg-reports/2012/04-05/06-07/d192_168_20_4.html - No such file or directory
[2.0.1-RELEASE][root@xxx]/root(7):

marcelloc

Check options you selected on sarg gui and try again.