Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    SquidGuard to syslog

    Scheduled Pinned Locked Moved Cache/Proxy
    6 Posts 2 Posters 2.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jonspeegle
      last edited by

      Didn't see a logging section so put this under General pfSense Questions. I am trying to send squidguard logs to a remote syslog server. I can accomplished this another way but I have to enable remote logging of everything under system logs - settings. it sends from local5 which points to the nginx log. I have to pick everything because pfSense does not show nginx in the list and groups it in with Everything from what i'm seeing. I'd like to just send the squidguard block.log file if possible. I attempted to use syslog-ng to do this. From what I gathered in the syslog-ng documentation, this should work.

      Here's my syslog-ng setup

      1. Installed syslog-ng and created the following 3 rules under the advanced section of syslog-ng
        Object Name = syslog
        Object Type = destination
        Object Parameters = { syslog("10.16.1.1" port(514)); };

        Object Name = squidguard
        Object Type = source
        Object Parameters = { file("/var/squidGuard/log/block.log" follow-freq(1) flags(no-
        parse)); };

        Object Name = squidlog
        Object Type = log
        Object Parameters = { source(squidguard); destination(syslog); };

      Anybody have any ideas how to get this working? Or am I just stuck logging everything to get what I need. Thank you in advance for your help.

      1 Reply Last reply Reply Quote 0
      • stephenw10S
        stephenw10 Netgate Administrator
        last edited by

        You just need the Squidguard blocked traffic logs?

        You can have Squidguard log in to the Squid logs. In the Squid logging settings set Log Pages Denied by SquidGuard.

        Then you can have Squid send to your syslog server directly using the custom option:

        access_log udp://your_syslog_server_IP:514
        

        I set that in Custom Options (Before Auth).

        Steve

        J 1 Reply Last reply Reply Quote 0
        • J
          jonspeegle @stephenw10
          last edited by

          @stephenw10 I had the 'Log Pages Denied by SquidGuard already set. I put the line you specified in the Custon Options (Before Auth) but it still isn't sending to my syslog. Is there something else I'm missing? It does say you have to enter a couple line to the sgerror.php for it to work, but after doing that it still didn't.

          1 Reply Last reply Reply Quote 0
          • J
            jonspeegle
            last edited by

            ok, so i think I've found another way to accomplish this. I added the line local5.* @10.16.1.1 at the end of the syslog section of the /etc/inc/system.inc. So it would be added to the syslog.conf each time the service is restarted or system rebooted. Now I am only getting nginx log files which appear to include the squidguard block.log contents. Now I'm just wondering if this manual config will survive version upgrades.

            Would be happy to hear if anyone has a better way to do this. Until then I guess I'll go with this.

            1 Reply Last reply Reply Quote 0
            • stephenw10S
              stephenw10 Netgate Administrator
              last edited by

              Hmm, so did you not see any Squid logs passed to you syslog server or just no Squidguard blocked entries?

              Steve

              1 Reply Last reply Reply Quote 0
              • J
                jonspeegle
                last edited by

                nope, does not seem to work. Best way I've been able to get to work is by forwarding the nginx logs like I described above. Would prefer not to do it this way since tons of messages get sent when you are in the pfSense mgmt interface for a device. I'll keep trying to figure out how to just get the block.log.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.