Redirecting Squid / SquidGuard logs to remote syslog

gregober · May 11, 2012, 4:26 PM

Hi folks,

I wanted to know if It is possible to redirect Squid logs to a remote syslog ?
For the moment I am stuck with log on my device and this is not very usefull !

Thanks.

kalu · May 12, 2012, 1:41 AM

same here.
very eager to know if such feature exist on pfsense.
thanks
kalu

kalu · May 12, 2012, 1:53 AM

Thanks gregober.
http://forum.pfsense.org/index.php/topic,49304.0.html
So the technical term to be used is syslog
My network is purely windows :( so no good alternatives
just found a link http://doc.pfsense.org/index.php/Copying_Logs_to_a_Remote_Host_with_Syslog
Thanks
kalu

kalu · May 12, 2012, 2:46 AM

:(

no option for squid.

http://postimage.org/image/q5uz7f9lx/

gregober · May 12, 2012, 1:36 PM

In Squid, I think It is possible to use this configuration directive :

access_log syslog:local:4

or

access_log syslog:LOG_LOCAL4

This parameter has to be included in the configuration file…

http://www.squid-cache.org/Doc/config/access_log/

and discussion here : http://www.mail-archive.com/squid-users@squid-cache.org/msg48741.html

But I really don't know if this option is supported in the compiled version provided by pfSense package ?

I can't try It right now because I have no access to a pfSense with Squid… (more infos on monday).

azpoulton · May 20, 2012, 12:10 AM

squid conf file is located here:

/usr/local/etc/squid/squid.conf

backup your config!!

cp /usr/local/etc/squid/squid.conf /usr/local/etc/squid/squid.conf.bak

ee /usr/local/etc/squid/squid.conf

added this:
#try logging to syslog
access_log syslog:local5.info squid

restart squid:
/usr/local/etc/rc.d/squid.sh restart

Where do the logs go? send all local5 syslogs to remote machine
cp /etc/syslog.conf /etc/syslog.conf.bak
added this to /etc/syslog.conf
local5.* @192.168.1.123

restart syslog
/etc/rc.d/syslogd restart

Obviously you would need to properly configure the remote device to accept the syslog (UDP 514) . This will retain your logs so that lightsquid will still work.

Someone correct me if I am wrong, but if you update pfsense then this will all get overwritten and have to be redone.

marcelloc · May 20, 2012, 2:35 AM

@azpoulton:

Someone correct me if I am wrong, but if you update pfsense then this will all get overwritten and have to be redone.

If you update any config on squid package or restart the server.

squid.conf is created by squid.inc file, you need to apply these changes on the php code that creates the config file.

I think syslog.conf is also recreated after reboot.

att,
Marcello Coutinho

pagaille · Jul 2, 2012, 5:10 PM

@gregober:

In Squid, I think It is possible to use this configuration directive :
access_log syslog:local:4
or
access_log syslog:LOG_LOCAL4
This parameter has to be included in the configuration file…

I personally verified that it was perfectly feasible to include this configuration directive in the "Custom Options" field of the Services > Proxy server configuration page of PfSense. Thanks to to that the settings survives a reboot.

Once this is done, the messages are sent to a distant server provided you configured pfsense to do so (Status > System Logs > Settings)