SquidGuard to syslog

jonspeegle

Didn't see a logging section so put this under General pfSense Questions. I am trying to send squidguard logs to a remote syslog server. I can accomplished this another way but I have to enable remote logging of everything under system logs - settings. it sends from local5 which points to the nginx log. I have to pick everything because pfSense does not show nginx in the list and groups it in with Everything from what i'm seeing. I'd like to just send the squidguard block.log file if possible. I attempted to use syslog-ng to do this. From what I gathered in the syslog-ng documentation, this should work.

Here's my syslog-ng setup

1. Installed syslog-ng and created the following 3 rules under the advanced section of syslog-ng
   Object Name = syslog
   Object Type = destination
   Object Parameters = { syslog("10.16.1.1" port(514)); };

   Object Name = squidguard
   Object Type = source
   Object Parameters = { file("/var/squidGuard/log/block.log" follow-freq(1) flags(no-
   parse)); };

   Object Name = squidlog
   Object Type = log
   Object Parameters = { source(squidguard); destination(syslog); };

Anybody have any ideas how to get this working? Or am I just stuck logging everything to get what I need. Thank you in advance for your help.

stephenw10

You just need the Squidguard blocked traffic logs?

You can have Squidguard log in to the Squid logs. In the Squid logging settings set Log Pages Denied by SquidGuard.

Then you can have Squid send to your syslog server directly using the custom option:

access_log udp://your_syslog_server_IP:514

I set that in Custom Options (Before Auth).

Steve

jonspeegle

@stephenw10 I had the 'Log Pages Denied by SquidGuard already set. I put the line you specified in the Custon Options (Before Auth) but it still isn't sending to my syslog. Is there something else I'm missing? It does say you have to enter a couple line to the sgerror.php for it to work, but after doing that it still didn't.

jonspeegle

ok, so i think I've found another way to accomplish this. I added the line local5.* @10.16.1.1 at the end of the syslog section of the /etc/inc/system.inc. So it would be added to the syslog.conf each time the service is restarted or system rebooted. Now I am only getting nginx log files which appear to include the squidguard block.log contents. Now I'm just wondering if this manual config will survive version upgrades.

Would be happy to hear if anyone has a better way to do this. Until then I guess I'll go with this.

stephenw10

Hmm, so did you not see any Squid logs passed to you syslog server or just no Squidguard blocked entries?

Steve

jonspeegle

nope, does not seem to work. Best way I've been able to get to work is by forwarding the nginx logs like I described above. Would prefer not to do it this way since tons of messages get sent when you are in the pfSense mgmt interface for a device. I'll keep trying to figure out how to just get the block.log.