Sarg package for pfsense

Nachtfalke

Works great!  8)

Nachtfalke

Have an additional question:

SARG logs the denied pages when I open a website in my browser like www.my-website.com and this domain is in my blocklist. Then I got the custom squidguard access denied page with your "pixel" which sends this page to squid.

So if there are any other applications which use http traffic which is blocked by squidguard then this page will not be logged.

Is this correct?
Is this because these apps do not display the blocked page with the "pixel"?

Just want to make sure I understand what's happening. So I would check SARG denied pages to check which pages the user directly browsed and squidguard log will tell my everything which is blocked - no matter if via browser or other app.

THANK YOU! :-)

marcelloc

If the app does not open/execute the error page, then it will not be logged.

Can you simulate it?

Nachtfalke

@marcelloc:

If the app does not open/execute the error page, then it will not be logged.

Can you simulate it?

Yes, it is as you said. SquidGuard internal Log page shows blocks on Computers where nobody is logged in and browsing the web via webbrwoser. SARG does not log this.

If I open a webbrowser and go to a webpage which is blocked then I got the denied page and SARG is logging this.

Another question on shedules:
Yesterday - 29. November - I did some "Force Update Now" and always got an updated report. The "Creation date" was always updated on the "View reports" pages.

After doing some tests I created a shedule which runs once a day "1d" with no extra arguments.
Today - 30. November - I looked at the "View reports" page and could only see the report from yesterday (29. November). I clicked on "Force update now" and sarg created me a new report for today but did NOT update the report from yesterday. Is this normal!?!

I deleted all reports from /usr/local/sarg-reports and forced again an update and only got a report from the 30. November but not from yesterday. I then used custom arduments to get reports from yesterday and so on but did not get the report from yesterday.

Please help! ;)

What I would like to have:
A shedule that will create me a report beginning a 0:00am until 11:59pm for every day.

–- edit ---

I think I found an solution:
I disabled log rotation on squid.
I created one shedule with frequency "1d" and logrotate on sarg
I created a second shedule with frequency "1h" and no logrotate.

This will update my daily report every hour and will rotate then every day - probably at midnight.

Question:
Where is the difference between:
logrotate
proxy daemon restart
logrotate and restart proxy daemon
?

--- edit2 ---

Was it your intention to only sync "General" and "Users" tab? I would think it would be usefull to sync "Shedule", too.

I hat a look at this part in sarg.inc:

        /* xml will hold the sections to sync */
        $xml = array();
        $xml['sarg'] = $config['installedpackages']['sarg'];
        $xml['sarguser'] = $config['installedpackages']['sarguser'];
        /* assemble xmlrpc payload */
        $params = array(
                XML_RPC_encode($password),
                XML_RPC_encode($xml)
        );

marcelloc

@Nachtfalke:

I think I found an solution:
I disabled log rotation on squid.
I created one shedule with frequency "1d" and logrotate on sarg
I created a second shedule with frequency "1h" and no logrotate.

@Nachtfalke:

Question:
Where is the difference between:
logrotate
proxy daemon restart
logrotate and restart proxy daemon

• squid -k rotate

• squid -k reconfigure

• squid -k rotate && squid -k reconfigure

@Nachtfalke:

Was it your intention to only sync "General" and "Users" tab? I would think it would be usefull to sync "Shedule", too.

Maybe I just forgot to include schedule array on sync.

Nachtfalke

I had a look at squidguard log rotation in sarg.inc:

                        case "squidguard":
                                if ($action =="both" || $action=="rotate"){
                                        log_error('executing squidguard log rotate after sarg.');
                                        log_rotate($sarg_proxy['squidguard_block_log']);
                                        file_put_contents($sarg_proxy['squidguard_block_log'],"",LOCK_EX);
                                        chown($sarg_proxy['squidguard_block_log'],'proxy');
                                        chgrp($sarg_proxy['squidguard_block_log'],'proxy');
                                        mwexec(SQUID_DIR . '/sbin/squid -k reconfigure');
                                        }
                        #leave this case without break to run squid rotate too.

Log rotation for squidguard's block.log should NOT be done by sarg!

Reason:
Log rotation will be done on squidguard GUI if someone likes it.
squidguard's block.log will not be used by SARG - it is neccessary to use the code marcelloc posted above to send blocked pages back to squid access.log.

So I would suggest to disable log rotationg for squidguard's block.log or check if it is enabled/disabled on squidguard GUI.

I for myself jus commented this case part in my sarg.inc for further tests.

marcelloc

Push these modifications to github.

Nachtfalke

@marcelloc:

Push these modifications to github.

Need to do some more tests. Can someone confirm, that:

/usr/pbi/squid-i386/sbin/squid -k rotate

and

/usr/pbi/squid-i386/sbin/squid -k reconfigure

will NOT rotate logs, if:

• Logging on squid GUI is enabled

• log rotate field is EMPTY on squid GUI

For me it does not rotate access.log. Could be important if changing the sarg.inc code for squid/squidguard.

marcelloc

squid -k rotate is the cmd to rotate logs.

Lectrician

Hi.

I tried to install Squid3 in place of Squid, and could not get Sarg to work.  It worked previously, generating daily reports.

I then re-installed Squid (not squid 3), and cannot get it to work again!

I have it working on one box on one site, but just can't locate this error.

I get:

php: /pkg_edit.php: The command 'export LC_ALL=C && /usr/local/bin/sarg -d date -v-5m +01/09/%Y' returned exit code '126', the output was '/usr/local/bin/sarg: Permission denied'

Do I look at file permissions somewhere?

Thanks.

marcelloc

Are you on latest sarg version?

squid version does not affect sarg. Just keep logging enabled on squid gui.

Lectrician

Hi.

I updated Sarg too to try to fix the issue, but it didn't make a difference.  Sarg 2.3.6_2 pkg v.0.6.3

What does the error above mean?

Thanks.

marcelloc

file permission. but I'm not getting it here. I have some sarg boxes and all are working fine.

What pfsense version are you using? nanobsd?

Lectrician

2.0.1-RELEASE (i386)
built on Mon Dec 12 17:53:52 EST 2011
FreeBSD 8.1-RELEASE-p6

If it's file permissions, this must be something that Squid changed when I installed squid3?  And changing back to squid1 has not altered it?

What file permission would be incorrect?

Thanks.

davros123

I had a strange issue today after installing squid3 and then sarg (on a new pfsense install) and then uninstalling squid3 then installing squid.

I could not access the reports…complained about missing index.html.

After putting some debug text into the sarg php, I noticed the /usr/local/sarg-reports/index.html was missing and not being created.

To force it to be created, I had to manually select (highlight) "Generate the main index.html (yes)" in Sarg Settings: General Tab: Report Settings/Report Options. Even though is should default to be on(yes).

Then running the schedule (force update) created the main index file and it all worked :)

Not sure what happened there!

marcelloc

@davros123:

To force it to be created, I had to manually select (highlight) "Generate the main index.html (yes)" in Sarg Settings: General Tab: Report Settings/Report Options. Even though is should default to be on(yes).

You must select options to enable, that's what field description says.

Lectrician

Hi.  My index is displaying, but just not for dates since I swapped to Squid 3 and back to Squid.

Where would I find the files to check the permissions on?

Thanks.

davros123

@marcelloc:

@davros123:

To force it to be created, I had to manually select (highlight) "Generate the main index.html (yes)" in Sarg Settings: General Tab: Report Settings/Report Options. Even though is should default to be on(yes).

You must select options to enable, that's what field description says.

Thanks for clarifying that.

I think it could be better worded…as it also says default values are in ().  I interpret that as these are the Default values.  ie. if you do not select anything, it will default to these values....as in Option 2 from the Oxford dictionary:

noun
Pronunciation: /dɪˈfɔːlt, ˈdiːfɔːlt/
1 [mass noun] failure to fulfil an obligation, especially to repay a loan or appear in a law court:
the company will have to restructure its debts to avoid default
[count noun]:
the deteriorating economy pushed defaults to almost $20 billion
2 [in singular] a preselected option adopted by a computer program or other mechanism when no alternative is specified by the user or programmer:

marcelloc

The next line explains it.

"If you select any option, it will be enabled on conf file."

davros123

I say this with all due respect and appreciation for making this package available….

I am simply providing user feedback that the wording is unclear and confusing - and does not align with the common usage of the term default nor common UI design practices.

It is your package so feel free to ignore this feedback.