Sarg package for pfsense

periko · Oct 1, 2012, 4:01 AM

I had follow this package and read this thread, I had try sarg and works, but I have seen that cron run 2 jobs in my system.

I setup squid without any log rotate, but I see that my system rotate my logs twice.

Sep 29 23:00:02 gw php: : Sarg: force refresh now with args, compress() and rotate action after sarg finish.
Sep 29 23:00:17 gw php: : executing squid log rotate after sarg.
Sep 30 00:00:01 gw php: : Sarg: force refresh now with args, compress() and rotate action after sarg finish.
Sep 30 00:00:17 gw php: : executing squid log rotate after sarg.

I setup sarg to rotate at 23h, I have this on cron:

0 * * * * root /usr/bin/nice -n20 newsyslog
1,31 0-5 * * * root /usr/bin/nice -n20 adjkerntz -a
1 3 1 * * root /usr/bin/nice -n20 /etc/rc.update_bogons.sh
*/60 * * * * root /usr/bin/nice -n20 /usr/local/sbin/expiretable -v -t 3600 sshlockout
1 1 * * * root /usr/bin/nice -n20 /etc/rc.dyndns.update
*/60 * * * * root /usr/bin/nice -n20 /usr/local/sbin/expiretable -v -t 3600 virusprot
30 12 * * * root /usr/bin/nice -n20 /etc/rc.update_urltables
0 0 * * * root /bin/rm /var/squid/cache/swap.state; /usr/local/sbin/squid -k rotate
*/15 * * * * root /usr/local/pkg/swapstate_check.php
0 */23 * * * root /usr/local/bin/php /usr/local/www/sarg.php 0

Why it run at 00:00?

sarg-2.3.2_2 Squid log analyzer and HTML report generator
squid-2.7.9_1 HTTP Caching Proxy

Any tip will be appreciate, thanks!!!

Tom70 · Oct 3, 2012, 10:33 AM

Hi,

The daily report works great.
But what are the arguments for a weekly and a monthly report.

Tom

marcelloc · Oct 3, 2012, 2:06 PM

@Tom70:

But what are the arguments for a weekly and a monthly report.

google search could help a lot ;).

I've found this on http://lists.freebsd.org/pipermail/freebsd-ports/2005-November/027512.html

TODAY=$(date +%d/%m/%Y)
YESTERDAY=$(date -v-1d +%d/%m/%Y)
WEEKAGO=$(date -v-1w -v-1d +%d/%m/%Y)
MONTHAGO=$(date -v-1m -v-1d +%d/%m/%Y)
YEARAGO=$(date -v-1y -v-1d +%d/%m/%Y)

Tom70 · Oct 4, 2012, 11:41 AM

@marcelloc:

google search could help a lot ;).

I've found this on http://lists.freebsd.org/pipermail/freebsd-ports/2005-November/027512.html

TODAY=$(date +%d/%m/%Y)
YESTERDAY=$(date -v-1d +%d/%m/%Y)
WEEKAGO=$(date -v-1w -v-1d +%d/%m/%Y)
MONTHAGO=$(date -v-1m -v-1d +%d/%m/%Y)
YEARAGO=$(date -v-1y -v-1d +%d/%m/%Y)

Hi Marcelloc

This page I had already found. But somehow it did not work.
But I get no errors.

Tom

marcelloc · Oct 4, 2012, 12:44 PM

Are you rotating the squid log?

Tom70 · Oct 4, 2012, 2:22 PM

Yes. Every 60 days.

marcelloc · Oct 4, 2012, 2:31 PM

@Tom70:

Yes. Every 60 days.

did you tried -d date -v-1w +%d/%m/%Y-date +%d/%m/%Y for a week report?

stramato · Oct 5, 2012, 2:23 AM

hi guys, i've been reading this thread. I just installed Sarg today.

I'm using Squid Transparent with SquidGuard. Just standard config, with log turned on (log rotate also).

I can view Realtime just fine, but I can't seem to generate a report when I try forcing a sched with the following args:

-d date +%d/%m/%Y-date +%d/%m/%Y

I just get this:

Error: Could not find report index file.
Check and save sarg settings and try to force sarg schedule.

Should I do anything special config to make it work?

marcelloc · Oct 5, 2012, 3:05 AM

@stramato:

Should I do anything special config to make it work?

yes, check all sarg config options, reports to generate and create a schedule to run.

Default sarg options has (yes) after it's description. Select all to create a default config.

stramato · Oct 8, 2012, 1:18 AM

@marcelloc:

@stramato:

Should I do anything special config to make it work?

yes, check all sarg config options, reports to generate and create a schedule to run.

Default sarg options has (yes) after it's description. Select all to create a default config.

Thank you. I had to simply select (ctrl+click to highlight) the config options then click save. I got confused because I thought they're already enabled since they already have a (yes) on them.

ckuecker · Oct 8, 2012, 9:15 PM

I have Sarg running on multiple pfsense boxes. One of my boxes has about 100 users behind it and the report will only work for about the first 4 hours after I wipe out the squid logs. After that I am guessing the squid log gets too big and the sarg report will no longer work.

I am using the -d arguments and I have tried limiting the number of users.

Any suggestions on how I can get sarg to accept a larger log file?

marcelloc · Oct 8, 2012, 10:10 PM

@ckuecker:

Any suggestions on how I can get sarg to accept a larger log file?

I have large files working fine.

try to run sarg on console to check what it returns.

ckuecker · Oct 11, 2012, 3:07 PM

@marcelloc:

@ckuecker:

Any suggestions on how I can get sarg to accept a larger log file?

I have large files working fine.

try to run sarg on console to check what it returns.

Seems to be working fine now. I just need to figure out my schedule because, like others my report is pretty empty at 00:00. I need to figure out Cron now.

I have highlighted what I am questioning. Is this rotating my squid logs even after I have set them not to rotate?

![cron sarg.PNG](/public/imported_attachments/1/cron sarg.PNG)
![cron sarg.PNG_thumb](/public/imported_attachments/1/cron sarg.PNG_thumb)

marcelloc · Oct 11, 2012, 3:22 PM

Check on squid config because it's not created by sarg.

ckuecker · Oct 11, 2012, 5:12 PM

@marcelloc:

Check on squid config because it's not created by sarg.

This is my squid config. Rotation should be disabled.

ckuecker · Oct 12, 2012, 8:43 PM

I think it is working now. Thanks for all your help Marcelloc

ckuecker · Oct 15, 2012, 6:06 PM

Marcelloc, I am not sure if this is a bug or if I am doing something / missing something.

I would like to provide access to the Sarg reports to a few users. When I give them permissions via the user manager to the Sarg reports, it does not work fully.
The real time logs work, but when you try and view reports it just flickers non stop. Looks like it is trying to load the sarg reports frame inside the sarg reports frame.

Attached is the permissions I am giving the user. Is there an easier way or is this a bug?

marcelloc · Oct 15, 2012, 6:27 PM

@ckuecker:

Looks like it is trying to load the sarg reports frame inside the sarg reports frame.

Reinstall sarg package, I've fixed it last week.

ckuecker · Oct 15, 2012, 7:06 PM

awesome! Thanks!!

edit: works like a charm!

LoZio · Oct 22, 2012, 4:32 PM

Using nano 2.0.1 and SARG 2.3.2 pkg v.0.6.1.
No matter what I do, tried everithing I found in this forum.
I always get
Error: Could not find report index file.
Check and save sarg settings and try to force sarg schedul

Running sarg -x results in

SARG: sarg version: 2.3.2 Nov-23-2011
SARG: Reading access log file: /var/squid/logs/access.log
SARG: Records in file: 11460, reading: 100.00%
SARG: Records read: 11460, written: 11459, excluded: 0
SARG: Squid log format
SARG: Period: 22 Oct 2012
SARG: pre-sorting files
SARG: File /usr/local/sarg-reports/22Oct2012-22Oct2012 already exists, moved to /usr/local/sarg-reports/22Oct2012-22Oct2012.4
SARG: Cannot delete /usr/local/sarg-reports/22Oct2012-22Oct2012/d192_168_7_11.html - No such file or directory

Saved, re-saved, re-re-re-saved the config with (yes) options.
Deleted and recreated report directories, gave them 777. Created a schedule with every possible combination of parameters, run it manually, scheduled,…
Each time the no index error.

Running a schedule results in
php: /pkg_edit.php: The command '/usr/local/bin/sarg ' returned exit code '1', the output was 'SARG: Records in file: 11647, reading: 0.00%^MSARG: Records in file: 5000, reading: 42.93%^MSARG: Records in file: 10000, reading: 85.86%^MSARG: Cannot delete /usr/local/sarg-reports/22Oct2012-22Oct2012/d192_168_7_11.html - No such file or directory SARG: Records in file: 11647, reading: 100.00%'

If something is written in these forums, I tried it. :(
Realtime works correctly but what I need i history data.
Any other test/debug I can try?