Log Squid in Syslog
-
Hi all:
I am just getting up and running with pfsense after moving away from dd-wrt on my old linksys router. I have a small dual core celeron mini-ITX box with dual GB nics sitting inline between my cable modem and my core switch. I use have it setup to send syslog to my Splunk server which seems to be working. I'd really like to get the squid access logs sent to splunk as well for better analysis. I read a thread that suggested putting the following in the custom options would send the access log details to syslog:
access_log syslog:local:4
I've tried this setting and it doesn't seem to work. Any thoughts/suggestions of how I can get my squid access.log sent to syslog would be much appreciated!
-
The easiest way I have gotten it to work is to add the "local6." line below to /etc/inc/system.inc:
if (isset($syslogcfg['portalauth']))
$syslogconf .= system_syslogd_get_remote_servers($syslogcfg, "local4.");
$syslogconf .= system_syslogd_get_remote_servers($syslogcfg, "local6.");I choose the "portal auth events", which must be checked off on your system log's settings page since I am NOT using captive portal on this firewall. You can add the line to any similar feature and then check it to log remotely. Also make sure "enable remote logging" is checked and add your remote server IP address.
Finally add the following line to your squid configuration custom options:
access_log syslog:local6.info squid
Of course when you upgrade your system you will have to add the line once again to "system.inc".
-
Ok, I managed to get things working. Doing log analysis is soooo great using splunk! I uninstalled all my packages. I then installed Dansguardian first, then squid3. I think the first time I had selected the "squid" package vs the "squid3' package. I then added the following in the Custom Options section of the proxy server settings page:
access_log syslog:local5.info squid
Hope this helps if anyone else has this issue!