Sarg package for pfsense
-
Hi,
upgrade to 2.1 and installing sarg
i can see in the system log:php: /pkg_edit.php: Sarg: force refresh now with args, compress() and none action after sarg finish.
php: /pkg_edit.php: The command '/usr/pbi/sarg-i386/bin/sarg ' returned exit code '1', the output was 'SARG: Cannot set the locale LC_ALL to the environment variable'But no report is generated
Does anybody know whats wrong ?
regards max -
I've updated package today to 0.6.2.
I'll test again if I missed something.
EDIT
my /usr/pbi/sarg-amd64/etc/sarg/sarg.conf is working fine :(
-
Hi,
i tried to run from ssh and i found out that (some) SARG:TAG: make troubles…
after set a comment # in front of a lot of tags it works now...have now only this TAG's
SARG: TAG: access_log /var/squid/logs/access.log SARG: TAG: output_dir /usr/local/sarg-reports SARG: TAG: resolve_ip no SARG: TAG: user_ip no SARG: TAG: index no SARG: TAG: overwrite_report no SARG: TAG: privacy no SARG: TAG: dansguardian_conf SARG: TAG: denied_report_limit 0 SARG: TAG: sorttable /sarg_sorttable.js SARG: Deleting temporary directory "/tmp/sarg"
(change something in the sarg config –> restore defect config )
It's realy hard to find out who is (are) the fault one.
But run from web i get still the "Cannot set the locale LC_ALL..." error
readers max
-
Hi,
months ago I configured sarg on a test fw proxy server with squid+squidguard.
I remember "denied sites" were "highlighted" on userid reports by the string "DENIED" placed on right side of denied url, outside the last column(%TIME).Now I cannot reproduce this feature on my production proxy.
I activated every log option on squid and squidguard: I can see denied sites on squidguard log, but no "DENIED" string appear on sarg report.
Moreover I can't find any "Denied sites" report despite I have enabled that option on "report to generate" section of general tab.Do you have any idea/same problem?
Thank you in advance -
Do you have any idea/same problem?
While using squidguard, all errors pages will be logged there.
Are your report set to squid or squidguard logs? -
Do you have any idea/same problem?
While using squidguard, all errors pages will be logged there.
Are your report set to squid or squidguard logs?Squidguard.
Meanwhile I answered to my question: DENIED "message" appear on sarg report only if the blocked site is in squid blacklist (Access control tab).
I forgot/I did not notice that. Sorry….It'd be nice if the same sarg feature was reproduced for squidguard blocked sites...
But if i do not get wrong sarg is a closed project.... -
You can have squidguard denied sites by squidguard by changing squidguard report and squid acl.
Squid3-dev package has this feature, take a look and see how to include it on your current config.
-
You can have squidguard denied sites by squidguard by changing squidguard report and squid acl.
Squid3-dev package has this feature, take a look and see how to include it on your current config.
Thanks Marcello!
Finally I get Squid3-dev, SquidGuard-squid3 and sarge to work:
1) after many install/uninstall squidguard started to work only after I selected the transparent proxy interface (not present in the previous squid installed version)
2) On sarge I had to change the squidguard.conf path to /usr/pbi/squidguard-squid3-amd64/etc/squidguard/squidguard.conf on /usr/pbi/sarg-amd64/etc/sarg/sarge.confNow I was trying to understand how to get "denied" sites… sorry but what do you mean by "by changing squidguard report and squid acl"? I can't find any "help" on forum..
Thank you in advance. -
Take a look on squid3-dev general tab
Follow instructions on field "Log denied pages by squidguard"
-
Hi there !
I have a problem with my Sarg 2.3.6_2 pkg v.0.6.3
Because of my network had many VLANS so i NAT them with a Internet IP, and I put the Pfsensen in edge of the Internet gateway router (next to)
In my Sarg's report , it can't be show the UserID mapping with IP , because these ips were NAT
So , How can i modify the output of report , can its show only UserID field ? guide me ?Thanks so much !
-
So , How can i modify the output of report , can its show only UserID field ? guide me ?
Do you have the usernames logged on you proxy log?
-
Do you have the usernames logged on you proxy log?
NO, there are no Usernames in proxy log, they appear with "-" instead of "Username"
Here is my log in /var/squid/logs/access.log
such as :
1385086726.539 483 192.168.10.10 TCP_MISS/200 1936 POST http://ocsp.thawte.com/ - DIRECT/199.7.52.72 application/ocsp-response
1385086730.465 9 192.168.10.10 TCP_MISS/200 2159 GET http://192.168.10.1/filebrowser/browser.php? - DIRECT/192.168.10.1 text/html
1385086731.484 873 192.168.10.10 TCP_MISS/200 5842 CONNECT vn.data.toolbar.yahoo.com:443 - DIRECT/206.190.42.32 -
1385086732.471 9 192.168.10.10 TCP_MISS/200 2864 GET http://192.168.10.1/filebrowser/browser.php? - DIRECT/192.168.10.1 text/html
1385086732.479 0 192.168.10.10 TCP_MISS/200 1088 GET http://192.168.10.1/filebrowser/images/file_system.gif - DIRECT/192.168.10.1 image/gif -
There is nothing sarg can do if squid logs does not have the client ip.
Look for logging X_forwarded_for info on squid.
This topic may help http://forum.pfsense.org/index.php/topic,54227.msg322323.html#msg322323 -
Yes, I have looked for many other way, but not found something good !
Here is my network :MultiVLAN <–-> Layer3Switch <----> FirewallCisco <----> InternetGW_router <-----> Pfsense (squid+sarg+lightsquid) <----> Internet
Should I change my position of Proxy ?? Where do I put ?
Thanks so much !
-
Enable nat ony on pfsense. Configure all other devices as routers
-
Hi
I am running pfsense 2.1 AMD64 with squid2.7 and squidguard with latest version of SARG.
I have logging enabled for squid and I can see the accessed sites in access.logFurther I have enabled logging on squidguard to log blocked sites.
Unfortunately I only get the access sites on SARG and the DENIED sites which I blacklisted on squid GUI. But I do not get the websites blocked by squidguard.
Here is the debug output of SARG:
[2.1-RELEASE][admin@pfsense2.hpa]/var/squidGuard/log(100): sarg -xz SARG: Init SARG: Loading configuration from /usr/pbi/sarg-amd64/etc/sarg/sarg.conf SARG: TAG: access_log /var/squid/logs/access.log SARG: TAG: graphs yes SARG: TAG: output_dir /usr/local/sarg-reports SARG: TAG: anonymous_output_files no SARG: TAG: resolve_ip no SARG: TAG: user_ip no SARG: TAG: topuser_sort_field BYTES normal SARG: TAG: user_sort_field BYTES normal SARG: TAG: exclude_users /usr/pbi/sarg-amd64/etc/sarg/exclude_users.conf SARG: TAG: exclude_hosts /usr/pbi/sarg-amd64/etc/sarg/exclude_hosts.conf SARG: TAG: date_format e SARG: TAG: lastlog 0 SARG: TAG: remove_temp_files yes SARG: TAG: index yes SARG: TAG: index_tree file SARG: TAG: overwrite_report yes SARG: TAG: use_comma no SARG: TAG: exclude_codes /usr/pbi/sarg-amd64/etc/sarg/exclude_codes SARG: TAG: max_elapsed 0 SARG: TAG: report_type topsites users_sites date_time denied site_user_time_date SARG: TAG: usertab none SARG: TAG: long_url no SARG: TAG: date_time_by bytes elap SARG: TAG: charset UTF-8 SARG: TAG: privacy no SARG: TAG: bytes_in_sites_users_report yes SARG: TAG: topuser_num 0 SARG: TAG: dansguardian_conf SARG: TAG: squidguard_conf /usr/pbi/squidguard-amd64/etc/squidGuard/squidGuard.conf SARG: TAG: redirector_log /var/squidGuard/log/block.log.0 SARG: TAG: redirector_log_format #year#-#mon#-#day# #hour# #tmp#/#list#/#tmp#/#tmp#/#url#/#tmp# #ip#/#tmp# #user# #end# SARG: TAG: show_sarg_info no SARG: TAG: show_sarg_logo no SARG: TAG: displayed_values abbreviation SARG: TAG: authfail_report_limit 0 SARG: TAG: denied_report_limit 0 SARG: TAG: siteusers_report_limit 0 SARG: TAG: user_report_limit 0 SARG: TAG: squidguard_report_limit 0 SARG: TAG: www_document_root /usr/local/www SARG: TAG: ntlm_user_format domainname+username SARG: TAG: realtime_refresh_time 0 SARG: TAG: realtime_types GET,PUT,CONNECT SARG: TAG: realtime_unauthenticated_records show SARG: TAG: sorttable /sarg_sorttable.js SARG: TAG: hostalias /usr/pbi/sarg-amd64/etc/sarg/hostalias SARG: Loading exclude host file from: /usr/pbi/sarg-amd64/etc/sarg/exclude_hosts.conf SARG: Loading exclude file from: /usr/pbi/sarg-amd64/etc/sarg/exclude_users.conf SARG: Reading host alias file "/usr/pbi/sarg-amd64/etc/sarg/hostalias" SARG: List of host names to alias: SARG: Parameters: SARG: Hostname or IP address (-a) = SARG: Useragent log (-b) = SARG: Exclude file (-c) = /usr/pbi/sarg-amd64/etc/sarg/exclude_hosts.conf SARG: Date from-until (-d) = SARG: Email address to send reports (-e) = SARG: Config file (-f) = /usr/pbi/sarg-amd64/etc/sarg/sarg.conf SARG: Date format (-g) = Europe (dd/mm/yyyy) SARG: IP report (-i) = No SARG: Keep temporary files (-k) = No SARG: Input log (-l) = /var/squid/logs/access.log SARG: Redirector log (-L) = /var/squidGuard/log/block.log.0 SARG: Resolve IP Address (-n) = No SARG: Output dir (-o) = /usr/local/sarg-reports/ SARG: Use Ip Address instead of userid (-p) = No SARG: Accessed site (-s) = SARG: Time (-t) = SARG: User (-u) = SARG: Temporary dir (-w) = /tmp/sarg SARG: Debug messages (-x) = Yes SARG: Process messages (-z) = Yes SARG: Previous reports to keep (--lastlog) = 0 SARG: SARG: sarg version: 2.3.6 Arp-21-2013 SARG: Reading access log file: /var/squid/logs/access.log SARG: Records in file: 838, reading: 100.00% SARG: Records read: 838, written: 838, excluded: 0 SARG: Squid log format SARG: (info) date=29/11/2013 SARG: (info) period=29 Nov 2013 SARG: Period: 29 Nov 2013 SARG: (info) outdirname=/usr/local/sarg-reports/29Nov2013-29Nov2013 SARG: Sorting log /tmp/sarg/172_17_0_10.user_unsort SARG: Sorting log /tmp/sarg/172_17_2_61.user_unsort SARG: Sorting log /tmp/sarg/172_17_183_30.user_unsort SARG: Sorting log /tmp/sarg/172_17_0_23.user_unsort SARG: Sorting log /tmp/sarg/172_17_3_144.user_unsort SARG: Sorting log /tmp/sarg/172_17_2_54.user_unsort SARG: Sorting log /tmp/sarg/172_17_2_128.user_unsort SARG: Sorting log /tmp/sarg/172_17_63_83.user_unsort SARG: Sorting log /tmp/sarg/172_17_180_93.user_unsort SARG: Sorting log /tmp/sarg/172_17_2_48.user_unsort SARG: Sorting log /tmp/sarg/172_17_180_86.user_unsort SARG: Sorting log /tmp/sarg/172_17_66_106.user_unsort SARG: Sorting log /tmp/sarg/172_17_0_60.user_unsort SARG: Sorting log /tmp/sarg/172_17_183_73.user_unsort SARG: Sorting log /tmp/sarg/172_17_60_60.user_unsort SARG: Sorting log /tmp/sarg/172_17_180_82.user_unsort SARG: Sorting log /tmp/sarg/172_17_180_96.user_unsort SARG: Sorting log /tmp/sarg/172_17_66_219.user_unsort SARG: Sorting log /tmp/sarg/172_17_180_80.user_unsort SARG: Sorting log /tmp/sarg/172_17_180_85.user_unsort SARG: Sorting log /tmp/sarg/172_17_183_1.user_unsort SARG: Sorting log /tmp/sarg/172_17_2_59.user_unsort SARG: Sorting log /tmp/sarg/172_17_3_123.user_unsort SARG: Sorting log /tmp/sarg/172_17_2_146.user_unsort SARG: Sorting log /tmp/sarg/172_17_3_61.user_unsort SARG: Sorting log /tmp/sarg/172_17_183_75.user_unsort SARG: Sorting log /tmp/sarg/172_17_60_66.user_unsort SARG: Sorting log /tmp/sarg/172_17_60_72.user_unsort SARG: Sorting log /tmp/sarg/172_17_180_94.user_unsort SARG: Sorting log /tmp/sarg/172_17_64_100.user_unsort SARG: Sorting log /tmp/sarg/172_17_63_3.user_unsort SARG: Sorting log /tmp/sarg/172_17_60_61.user_unsort SARG: Sorting log /tmp/sarg/172_17_2_44.user_unsort SARG: Sorting log /tmp/sarg/172_17_66_109.user_unsort SARG: Sorting log /tmp/sarg/172_17_66_220.user_unsort SARG: Sorting log /tmp/sarg/172_17_3_73.user_unsort SARG: Sorting log /tmp/sarg/172_17_2_46.user_unsort SARG: Sorting log /tmp/sarg/172_17_66_104.user_unsort SARG: Sorting log /tmp/sarg/172_17_3_140.user_unsort SARG: Sorting log /tmp/sarg/172_17_2_47.user_unsort SARG: Sorting log /tmp/sarg/172_17_180_83.user_unsort SARG: Sorting log /tmp/sarg/172_17_66_218.user_unsort SARG: Sorting log /tmp/sarg/172_17_2_33.user_unsort SARG: Sorting log /tmp/sarg/172_17_60_62.user_unsort SARG: Sorting log /tmp/sarg/172_17_180_90.user_unsort SARG: Sorting log /tmp/sarg/172_17_63_79.user_unsort SARG: Sorting log /tmp/sarg/172_17_180_95.user_unsort SARG: Sorting log /tmp/sarg/172_17_3_119.user_unsort SARG: Sorting log /tmp/sarg/172_17_183_41.user_unsort SARG: Sorting log /tmp/sarg/172_17_180_84.user_unsort SARG: Sorting log /tmp/sarg/172_17_66_221.user_unsort SARG: Sorting log /tmp/sarg/172_17_0_11.user_unsort SARG: Sorting log /tmp/sarg/172_17_183_74.user_unsort SARG: Sorting log /tmp/sarg/172_17_180_92.user_unsort SARG: (info) Dansguardian report not produced because no dansguardian configuration file was provided SARG: Reading redirector log file /var/squidGuard/log/block.log.0 SARG: Sorting file: /tmp/sarg/redirector.int_log SARG: (info) No top users report because it is not configured in report_type SARG: (info) Downloaded files report not requested in report_type SARG: (info) Sites & users report not requested in report_type SARG: (info) Authentication failures report not requested in report_type SARG: (info) Redirector report not generated because it is empty SARG: Making index.html SARG: Successful report generated on /usr/local/sarg-reports/29Nov2013-29Nov2013 SARG: Purging temporary file sarg-general SARG: End
This is the file of squidguard which contains 5 blocked websites with no special chars or long URLs.
SARG: Reading redirector log file /var/squidGuard/log/block.log.0
I configured that path in sarg.conf
So my problem is why do I get this output:
SARG: (info) Redirector report not generated because it is empty
It shouldn't be empty - it contains blocked websites. I checked the redirector_log_format option on sarg.conf but it was correctly configured for SQUIDGUARD. I changed it to the other possibility just for testing but without luck.
I know that I posted in this thread some months ago with a similar problem but I don't know anymore what to do to get this fixed.
I would appreciate any help!
-
I would appreciate any help!
Try this way:
On squid2 custom options include
acl sglog url_regex -i .*sgrd=ACCESSDENIED;http_access deny sglog;
Edit sgerror.php and include this code
$sge_prefix=(preg_match("/\?/",$cl['u'])?"&":"?"); $str[] = '<iframe src="'.$cl['u'].$sge_prefix.'sgrd=ACCESSDENIED" width="1" height="1"></iframe>';
This way, every time squidguard shows access denied error, it forces client to send the blocked url to squid again to be blocked and logged by sglog acl.
-
Works great! 8)
-
Have an additional question:
SARG logs the denied pages when I open a website in my browser like www.my-website.com and this domain is in my blocklist. Then I got the custom squidguard access denied page with your "pixel" which sends this page to squid.
So if there are any other applications which use http traffic which is blocked by squidguard then this page will not be logged.
Is this correct?
Is this because these apps do not display the blocked page with the "pixel"?Just want to make sure I understand what's happening. So I would check SARG denied pages to check which pages the user directly browsed and squidguard log will tell my everything which is blocked - no matter if via browser or other app.
THANK YOU! :-)
-
If the app does not open/execute the error page, then it will not be logged.
Can you simulate it?