Sarg package for pfsense

marcelloc

@KeltecRFB:

Is there way to configure Sarg to show denied access reporting and what Proxy\Dans acl triggered it?  Can that be done in the GUI or is it in CLI only?

Sarg only understands squid log format, so I think it sarg is not able to log what ACL denied a url.

Do you have a sarg config that does it?

novicenaja

@marcelloc:

Hi all,

I've just published sarg package for pfsense with squid,squidguard and dansguardian log Analysis as well real time report tab.

Squidguard functions are under devel yet but squid and dansguardians(as well as I tested) are working.

After almost everything done, I found an old sarg package published on forum by joaohf and merged some function calls from this old thread.

Another good point is that sarg is able to forward logs via email, so I'm planning to include it for nanobsd installs.

have fun and feedback!  :)

att,
Marcello Coutinho

ขอบคุณครับ (khob kun krub) Thank you verymuch

pszafer

For over a week I've been trying to config SARG because sometimes it works and sometimes not.

The problem is: "SARG: Cannot set the locale LC_ALL to the environment variable".

Sometimes when I restart webconfigurator and in shell set LC_ALL: setenv LC_ALL "en_US" it works from webGUI,
but more often it does not work at all.

Could you give me some trail where I can look for my mistakes, please?

Graphs should be generated from squid access log.
I can generate it from shell without any problem but not by command
"/usr/local/bin/php /usr/local/www/sarg.php 1"
it gives above error.

marcelloc

what version of sarg and pfsense are you using?

Topper727

Hello,

I have
2.1-BETA1 (amd64)
built on Wed Apr 10 18:48:44 EDT 2013
FreeBSD 8.3-RELEASE-p7

squidGuard Network Management 1.4_4 pkg v.1.9.2
Lightsquid Network Report         1.8.2 pkg v.2.32
Sarg         Network Report         2.3.2 pkg v.0.6.1
squid3 Network                3.1.20 pkg 2.0.6

I get for View Report
Error: Could not find report index file.
Check and save sarg settings and try to force sarg schedule.

In the system log
php: /pkg_edit.php: The command '/usr/pbi/sarg-amd64/bin/sarg ' returned exit code '1', the output was 'SARG: Cannot set the locale LC_ALL to the environment variable'

Realtime works

pszafer

I have also pfSense 2.1-BETA and the Sarg package 2.3.2 pkg v.0.6.1.

baba

Hello, sorry, i can't understand a thing…
Can I configure ldap settings in sarg to display username instead of IP if i use squid in trasnsparent mode without authentication?
Thanks

technical

@pszafer:

For over a week I've been trying to config SARG because sometimes it works and sometimes not.

The problem is: "SARG: Cannot set the locale LC_ALL to the environment variable".

Sometimes when I restart webconfigurator and in shell set LC_ALL: setenv LC_ALL "en_US" it works from webGUI,
but more often it does not work at all.

Could you give me some trail where I can look for my mistakes, please?

Graphs should be generated from squid access log.
I can generate it from shell without any problem but not by command
"/usr/local/bin/php /usr/local/www/sarg.php 1"
it gives above error.

i have same problems in the pfsense 2.0.2 Release
sarg
squid3
squidguard

tempest69

Hello,
same error for me with pfsense 2.1 (last version disponible at this time), fresh squid and sarg install , i was getting the message

php: /pkg_edit.php: The command '/usr/pbi/sarg-amd64/bin/sarg ' returned exit code '1', the output was 'SARG: Cannot set the locale LC_ALL to the environment variable'

until i change sarg config from

Date Format =European
to
Date Format=American (default)

well its not a real solution (but today it doesn't matter 05/05/2013 is the same in American and European !!!)

Edit :Message seems to have gone… but no, it is still here!!

pszafer

I did it too (changed date format), but it isn't stable solution, beacuse from 2 weeks Sarg with Date format = American is not working.

estragon

Hello,
i can't remove Sarg package …

i'm using : 2.1-BETA1 (i386) built on Sun May 19 05:11:18 EDT 2013 FreeBSD 8.3-RELEASE-p8

after an upgrade, i have an issue with sarg package (2.3.6 pkg v.0.6.1) :

Crash report begins.  Anonymous machine information:
i386
8.3-RELEASE-p8
FreeBSD 8.3-RELEASE-p8 #1: Sun May 19 05:40:04 EDT 2013     root@snapshots-8_3-i386.builders.pfsense.org:/usr/obj.pfSense/usr/pfSensesrc/src/sys/pfSense_SMP.8
Crash report details:
PHP Errors:
[20-May-2013 10:44:41 Europe/Paris] PHP Fatal error:  Call to undefined function sync_package_sarg() in /etc/inc/pkg-utils.inc(474) : eval()'d code on line 1
[20-May-2013 10:44:45 Europe/Paris] PHP Fatal error:  Call to undefined function sync_package_sarg() in /etc/inc/pkg-utils.inc(474) : eval()'d code on line 1
Filename: /var/crash/minfree
2048

i have tray to re install the pack but no success
then i have tray to remove the pack. i receive that feed back :

Removing package…
Starting package deletion for sarg-2.3.6-i386...done.
Removing Sarg components...
Tabs items... done.
Menu items... done.
Loading package instructions...
Deinstall commands...

but the pack still be present !

thanks for the suggestions on better way to clear the systeme (may be just to wait for pkg update ?)

marcelloc

@estragon:

but the pack still be present !

Check if sarg.inc exists on /usr/local/pkg dir and remove it.

estragon

Hello,
thanks very much for your help, and just as feed back :
I go on Diagnostics -> Edit File to check, and the file ahas her (with 0kb)
then I go  to  Diagnostics -> Command Prompt and execute : rm /usr/local/pkg/sarg.inc
then I go to remove the package from the System -> Package

… i have not all well understand, but that works …. thanks very much !

salutations et merci pour votre super travail !
gerard

wolivete

@elemay:

reinstalling only.

[SOLVED] i also experience if i set up a schedule, and do a 'Force Update Now' i get no report, telling me:

Error: Could not find report index file.
Check sarg settings and try to force sarg schedule.

in system logs i see:

Apr 10 15:55:45	php: /pkg_edit.php: The command '/usr/local/bin/sarg ' returned exit code '1', the output was 'SARG: Records in file: 174067, reading: 0.00%^MSARG: Maybe you have a broken date in your /var/log/dansguardian/access.log file SARG: getword_atoll loop detected after 2 bytes. SARG: Line="xx.xx.xx.xx http" SARG: Record="xx.xx.xx.xx http" SARG: searching for 'x2f''

i deleted access.log and restarted dansguradian, everythings fine again. :)

For this, I tried to select all in General->Reports Options.

AudiAddict

My sarg stopped working (not creating daily reports) after update to 2.1RC0

Using squid. Schedule says

Status Update Frequency Aditional Args Gzip Post Action Description
on           24h none                                            24hr

When opening reports view it doesn't show the latest (29th of may). Strange thing is it does show  creation date of today when I do full update? but the date stays the same?

As you can see I changed schedule from 1h to 24h (I need daily reports not hourly)

Any idea's how to resolve this? What are the correct settings for squid3 and sarg? Is there a howto or readme available? Action after schedule is set to none (default) but in screenshots in this topic I see it set to rotate log?

Can anybody provide me with a screenshot of there schedule? I just want daily reports of proxy access.

marcelloc

Enable report overwrite to avoid multiples reports in the same day.

It looks like you didn't enabled(or disabled) squid logs after may 26.

nuphero

I tried to install SARG some times but always got problem Segmentation fault (Core dumped)
Here is log of sarg -x. Anyone experienced with this issue, please help. Thanks.

[2.0.3-RELEASE][root@pfSense.localdomain]/usr/local(34): sarg -x
SARG: Init
SARG: Loading configuration from /usr/local/etc/sarg/sarg.conf
SARG: Loading exclude host file from: /usr/local/etc/sarg/exclude_hosts.conf
SARG: Loading exclude file from: /usr/local/etc/sarg/exclude_users.conf
SARG: Reading host alias file "/usr/local/etc/sarg/hostalias"
SARG: List of host names to alias:
SARG: Deleting temporary directory "/tmp/sarg"
SARG: Parameters:
SARG:          Hostname or IP address (-a) =
SARG:                    Useragent log (-b) =
SARG:                    Exclude file (-c) = /usr/local/etc/sarg/exclude_hosts.                                                                            conf
SARG:                  Date from-until (-d) =
SARG:    Email address to send reports (-e) =
SARG:                      Config file (-f) = /usr/local/etc/sarg/sarg.conf
SARG:                      Date format (-g) = Europe (dd/mm/yyyy)
SARG:                        IP report (-i) = No
SARG:            Keep temporary files (-k) = No
SARG:                        Input log (-l) = /var/squid/log/access.log
SARG:              Resolve IP Address (-n) = No
SARG:                      Output dir (-o) = /usr/local/sarg-reports/
SARG: Use Ip Address instead of userid (-p) = Yes
SARG:                    Accessed site (-s) =
SARG:                            Time (-t) =
SARG:                            User (-u) =
SARG:                    Temporary dir (-w) = /tmp/sarg
SARG:                  Debug messages (-x) = Yes
SARG:                Process messages (-z) = No
SARG:  Previous reports to keep (–lastlog) = 0
SARG:
SARG: sarg version: 2.3.6 Arp-21-2013
SARG: Reading access log file: /var/squid/log/access.log
SARG: Records in file: 874, reading: 100.00%
SARG:    Records read: 874, written: 874, excluded: 0
SARG: Squid log format
SARG: Period: 30 May 2013
SARG: File /usr/local/sarg-reports/30May2013-30May2013 already exists, moved to                                                                              /usr/local/sarg-reports/30May2013-30May2013.18
SARG: Sorting log /tmp/sarg/10_48_14_29.user_unsort
Segmentation fault (core dumped)

Hugovsky

Maybe you have changed date format in General tab. That was my problem. It works in default but not in European.

sully

I installed SARG on my box numerous times, following various threads on how to get it to work. I did get it to work, and wanted to start over, so deleted the files it created. Upon doing this, it would not recreate them, even with the indexing options toggled on.

A few more uninstalls and pkg_deletes and pkg_adds later, both from command and anyterm, still left it non working. Even when SARG from anyterm would return no errors, it would not create the index files.

There was however a graph error, which I turned graphing off in the config. And one other error, which was```
php: /pkg_edit.php: The command '/usr/local/bin/sarg ' returned exit code '1', the output was 'SARG: Unknown sort criterion "SITE" for parameter "topuser_sort_field"'

Inspecting the SARG config, you see this```
# TAG:  topuser_sort_field field normal/reverse
#       Sort field for the Topuser Report.
#       Allowed fields: USER CONNECT BYTES TIME
#
topuser_sort_field SITE NORMAL

The default should be```

TAG:  topuser_sort_field field normal/reverse

#      Sort field for the Topuser Report.
#      Allowed fields: USER CONNECT BYTES TIME

#topuser_sort_field BYTES reverse

It is interesting that I uninstalled the SARG pkg, made sure the sarg.conf file was gone, installed SARG again, and prior to running it checked to make sure the sarg.conf file was still absent. Then I started SARG and clicked save using the default options. The sarg.conf file still contained that SITE NORMAL value. So my error was complaining about the SITE value evidentily not being valid, although something sets it that way even if you do nothing. Unless my install has gone flaky.

Don't know if anyone needs to know that, but once I manually changed that from site to USER or BYTES that particular error stopped and now I am getting this error

php: /pkg_edit.php: The command '/usr/local/bin/sarg ' returned exit code '1', the output was 'SARG: Records in file: 31355, reading: 0.00%^MSARG: Records in file: 5000, reading: 15.95%^MSARG: Records in file: 10000, reading: 31.89%^MSARG: Records in file: 15000, reading: 47.84%^MSARG: Records in file: 20000, reading: 63.79%^MSARG: Records in file: 25000, reading: 79.73%^MSARG: Records in file: 30000, reading: 95.68%^MSARG: cannot open /usr/local/sarg-reports/2013/06/04-09/sarg-date for writing SARG:: No such file or directory SARG: Records in file: 31355, reading: 100.00%'

Thats ok though, the more I bang away on getting this to work, the more I learn about unix based stuff in general. I've just enough geek in me to persevere lol.

sully

Finally got SARG to work again. In my case /conf/config.xml for some reason has SITE used as the <user_sort_field>although I had never messed with the users values at all. Modifying this, via the GUI back to BYTES solved that issue.

Does anyone know if SARG actually works with squidGuard logs? I don't see any denied sites there. If you log the ACL, perhaps SARG does not read those, so you must enable logging on each target category? I accessed sites that were blocked by squidguard for certain, and are in the block.log, but SARG doesn't show any menu for denied sites, nor do I see a way to tell what connections have are from squid or squidguard.

In the sarg.conf file the path to the squidguard block log is correct. Is there something that I am missing that needs to be done here?</user_sort_field>