Problem with Sarg application
-
Hi Gurus
I downloaded the following application (Sarg - 2.3.6_2 pkg v.0.6.3) and I set with these parameters:
Label "General"
In the Proxy Server I select squid optionReport Options: Use Graphics where is possible
Convert IP address to dns name
Generate the Index tre by file
Overwrite report
Show ful url in reportReport to Generate
Topusers - User, site, times, bytes, connects, links to accessed sites etc
Topsites - site, connect and byte report
site_user - users and site report
date_time - bytes used per day and hour reportDate Format : Weekly yy.ww
Report Charset Latin2 - East European
The rest of the other parameters, I leave its by default"Label "Schedule"
Check in "enable" Options
Sarg args " -ddate +%d/%m/%Y"
Frecuency "5m"
Action after sarg "None(default)"
Compress Options
Check in "Enable Compression"
The rest of the other parameters, I leave its by default"By in the log I observe these messages:
Jun 29 09:55:01 php: sarg.php: The command 'export LC_ALL=C && /usr/pbi/sarg-i386/bin/sarg -d
date +%d/%m/%Y' returned exit code '1', the output was 'SARG: Unknown sort criterion "SITE" for parameter "topuser_sort_field"'
Jun 29 09:55:01 php: sarg.php: Sarg: force refresh now with -ddate +%d/%m/%Yargs, compress(on) and none action after sarg finish.
Jun 29 09:50:00 php: sarg.php: The command 'export LC_ALL=C && /usr/pbi/sarg-i386/bin/sarg -ddate +%d/%m/%Y' returned exit code '1', the output was 'SARG: Unknown sort criterion "SITE" for parameter "topuser_sort_field"'
Jun 29 09:50:00 php: sarg.php: Sarg: force refresh now with -ddate +%d/%m/%Yargs, compress(on) and none action after sarg finish.and I can not obtain any report
What was wrong?, any suggestion / comment?
-
I've never been able to get Sarg reports working. The realtime view seems to work well enough, but not reports.
-
Usually this fixes SARG for me:
Under the Status Menu – click SARG Reports.
On the General tab click Save
Next click on the Users tab and click Save
Click Schedule and create your schedule or if you have one already open it up and click Save.
You can go back to the Schedule and Force Update to see if SARG Reports are working now.I also schedule SARG Reports in Cron to run at 11:50pm every night instead of midnight.
50 23 */1 * *
The last version is not looking for the Squid Access log correctly, so check this first:
The solution is to edit the sarg.conf file that is located in one of these locations, depending on your pfsense build:
/usr/pbi/sarg-amd64/etc/sarg/sarg.conf
/usr/pbi/sarg-i386/etc/sarg/sarg.confYou will need to verify that the access_log line is correct:
#access_log /usr/local/squid/var/logs/access.log
In my case, removing the # sign and specifying the correct path to my Squid access.log corrected the problem.
-
Hi Kratos
I Review your comment and others in this excellent forum
First recommendation
I copied the file "index.html" from /usr/local/sarg-reports/2014/07/02/ to /usr/local/sarg-reports/. After that I observe That appear this option in the report View Report
See picture 1 - View ReportSecond
I following your comment:Under the Status Menu – click SARG Reports.
On the General tab click Save
Next click on the Users tab and click Save
Click Schedule and create your schedule or if you have one already open it up and click Save.
You can go back to the Schedule and Force Update to see if SARG Reports are working now.I find this file in this path
[2.1.3-RELEASE][admin@x.x.x.x]/root(2): find / -type f -name "access.log"
/var/log/dansguardian/access.log
/var/squid/logs/access.log; So I am using only squid logsSo when I review in Real Time this file:
[2.1.3-RELEASE][admin@x.x.x.x]/root(3): tail -f /var/squid/logs/access.log
I observe that the logs in this file is fuction correctly:
1404401777.571 69031 192.168.1.71 TCP_MISS/200 79066 CONNECT www.google.com.pe:443 - DIRECT/74.125.131.94 -
1404401777.571 62470 192.168.1.71 TCP_MISS/200 49218 CONNECT www.google.com.pe:443 - DIRECT/74.125.131.94 -
1404401777.571 58642 192.168.1.71 TCP_MISS/200 54571 CONNECT apis.google.com:443 - DIRECT/74.125.229.192 -
1404401777.571 62074 192.168.1.71 TCP_MISS/200 57318 CONNECT www.gstatic.com:443 - DIRECT/190.113.193.117 -
1404401777.571 62244 192.168.1.71 TCP_MISS/200 140002 CONNECT www.google.com.pe:443 - DIRECT/74.125.131.94 -
1404401777.571 59832 192.168.1.71 TCP_MISS/200 4569 CONNECT www.google.com:443 - DIRECT/74.125.131.103 -
1404401777.571 62316 192.168.1.71 TCP_MISS/200 4876 CONNECT ssl.gstatic.com:443 - DIRECT/190.113.193.117 -
…....
......In sarg.conf file the "access.log" is addressed correctly:
[2.1.3-RELEASE][admin@x.x.x.x]/root(2): grep "access_log" /usr/pbi/sarg-i386/etc/sarg/sarg.confTAG: access_log file
access_log /var/squid/logs/access.log
TAG: realtime_access_log_lines num
realtime_access_log_lines 1000
[2.1.3-RELEASE][admin@x.x.x.x]/root(3):
But In my Report I don't observe any info, what will be the Problem?. What wrong I am doing????
I appreciate your suggestion /recommendation
 -
I don't use Dansguardian, so I am not sure if you have to configure SARG for either Dansguardian or Squid. You probably don't want to configure it for both.
My guess, is that your configuration is correct now, cause you have an index that shows up and the realtime works.
If you look under:
- Services - Proxy: Log rotate (this setting will conflict with SARG)
Status - SARG Reports - Schedule - Schedule Options - Action after sarg
From what I read, you should leave Squid to not rotate logs at all and have SARG do it instead.
Or you can modify the CRON job for SARG so it runs right before Squid rotates logs.
If you leave Squid rotating logs, what happens is that at midnight, it will restart and zero out the acess.log, so when SARG tries to read the access.log it will be empty, producing a blank report.
You can test your configuration by going ahead and opening up the SARG schedule and clicking Force update now. Then check Status - System Logs and it should show any errors if SARG is having an issue.
If it works, you should see updated reports.
- Services - Proxy: Log rotate (this setting will conflict with SARG)
