Problem with Sarg application



  • Hi Gurus

    I downloaded the following application (Sarg - 2.3.6_2 pkg v.0.6.3) and I set with these parameters:

    Label "General"
    In the Proxy Server I select squid option

    Report Options: Use Graphics where is possible
    Convert IP address to dns name
    Generate the Index tre by file
    Overwrite report
    Show ful url in report

    Report to Generate
    Topusers - User, site, times, bytes, connects, links to accessed sites etc
    Topsites - site, connect and byte report
    site_user - users and site report
    date_time - bytes used per day and hour report

    Date Format :  Weekly yy.ww

    Report Charset Latin2 - East European
    The rest of the other parameters, I leave its by default"

    Label "Schedule"
    Check in "enable" Options
    Sarg args " -d date +%d/%m/%Y  "
    Frecuency "5m"
    Action after sarg "None(default)"
    Compress Options
    Check in "Enable Compression"
    The rest of the other parameters, I leave its by default"

    By in the log I observe these messages:

    Jun 29 09:55:01 php: sarg.php: The command 'export LC_ALL=C && /usr/pbi/sarg-i386/bin/sarg -d date +%d/%m/%Y' returned exit code '1', the output was 'SARG: Unknown sort criterion "SITE" for parameter "topuser_sort_field"'
    Jun 29 09:55:01 php: sarg.php: Sarg: force refresh now with -d date +%d/%m/%Y args, compress(on) and none action after sarg finish.
    Jun 29 09:50:00 php: sarg.php: The command 'export LC_ALL=C && /usr/pbi/sarg-i386/bin/sarg -d date +%d/%m/%Y' returned exit code '1', the output was 'SARG: Unknown sort criterion "SITE" for parameter "topuser_sort_field"'
    Jun 29 09:50:00 php: sarg.php: Sarg: force refresh now with -d date +%d/%m/%Y args, compress(on) and none action after sarg finish.

    and I can not obtain any report

    What was wrong?, any suggestion  / comment?



  • I've never been able to get Sarg reports working.  The realtime view seems to work well enough, but not reports.



  • Usually this fixes SARG for me:

    Under the Status Menu – click SARG Reports.
    On the General tab click Save
    Next click on the Users tab and click Save
    Click Schedule and create your schedule or if you have one already open it up and click Save.
    You can go back to the Schedule and Force Update to see if SARG Reports are working now.

    I also schedule SARG Reports in Cron to run at 11:50pm every night instead of midnight.

    50 23 */1 * *

    The last version is not looking for the Squid Access log correctly, so check this first:

    The solution is to edit the sarg.conf file that is located in one of these locations, depending on your pfsense build:

    /usr/pbi/sarg-amd64/etc/sarg/sarg.conf
    /usr/pbi/sarg-i386/etc/sarg/sarg.conf

    You will need to verify that the access_log line is correct:

    #access_log /usr/local/squid/var/logs/access.log

    In my case, removing the # sign and specifying the correct path to my Squid access.log corrected the problem.



  • Hi Kratos
    I Review your comment and others in this excellent forum
    First recommendation
    I copied the file "index.html" from /usr/local/sarg-reports/2014/07/02/ to /usr/local/sarg-reports/. After that I observe That appear this option in the report View Report
    See picture 1 - View Report

    Second
    I following your comment:

    Under the Status Menu – click SARG Reports.
    On the General tab click Save
    Next click on the Users tab and click Save
    Click Schedule and create your schedule or if you have one already open it up and click Save.
    You can go back to the Schedule and Force Update to see if SARG Reports are working now.

    I find this file in this path
    [2.1.3-RELEASE][admin@x.x.x.x]/root(2): find / -type f -name "access.log"
    /var/log/dansguardian/access.log
    /var/squid/logs/access.log;  So I am using only squid logs

    So when I review in Real Time this file:

    [2.1.3-RELEASE][admin@x.x.x.x]/root(3): tail -f /var/squid/logs/access.log
    I observe that the logs  in this file is fuction correctly:
    1404401777.571  69031 192.168.1.71 TCP_MISS/200 79066 CONNECT www.google.com.pe:443 - DIRECT/74.125.131.94 -
    1404401777.571  62470 192.168.1.71 TCP_MISS/200 49218 CONNECT www.google.com.pe:443 - DIRECT/74.125.131.94 -
    1404401777.571  58642 192.168.1.71 TCP_MISS/200 54571 CONNECT apis.google.com:443 - DIRECT/74.125.229.192 -
    1404401777.571  62074 192.168.1.71 TCP_MISS/200 57318 CONNECT www.gstatic.com:443 - DIRECT/190.113.193.117 -
    1404401777.571  62244 192.168.1.71 TCP_MISS/200 140002 CONNECT www.google.com.pe:443 - DIRECT/74.125.131.94 -
    1404401777.571  59832 192.168.1.71 TCP_MISS/200 4569 CONNECT www.google.com:443 - DIRECT/74.125.131.103 -
    1404401777.571  62316 192.168.1.71 TCP_MISS/200 4876 CONNECT ssl.gstatic.com:443 - DIRECT/190.113.193.117 -
    …....
    ......

    In sarg.conf file the "access.log" is addressed correctly:
    [2.1.3-RELEASE][admin@x.x.x.x]/root(2): grep "access_log" /usr/pbi/sarg-i386/etc/sarg/sarg.conf

    TAG:  access_log file

    access_log /var/squid/logs/access.log

    TAG: realtime_access_log_lines num

    realtime_access_log_lines 1000

    [2.1.3-RELEASE][admin@x.x.x.x]/root(3):

    But In my Report I don't observe any info, what will be the Problem?. What wrong I am doing????

    I appreciate your suggestion /recommendation

    ![View Report.jpg](/public/imported_attachments/1/View Report.jpg)
    ![View Report.jpg_thumb](/public/imported_attachments/1/View Report.jpg_thumb)
    ![Report 01-07-2014.jpg](/public/imported_attachments/1/Report 01-07-2014.jpg)
    ![Report 01-07-2014.jpg_thumb](/public/imported_attachments/1/Report 01-07-2014.jpg_thumb)



  • I don't use Dansguardian, so I am not sure if you have to configure SARG for either Dansguardian or Squid. You probably don't want to configure it for both.

    My guess, is that your configuration is correct now, cause you have an index that shows up and the realtime works.

    If you look under:

    • Services - Proxy: Log rotate (this setting will conflict with SARG)
      Status - SARG Reports - Schedule - Schedule Options - Action after sarg

    From what I read, you should leave Squid to not rotate logs at all and have SARG do it instead.

    Or you can modify the CRON job for SARG so it runs right before Squid rotates logs.

    If you leave Squid rotating logs, what happens is that at midnight, it will restart and zero out the acess.log, so when SARG tries to read the access.log it will be empty, producing a blank report.

    You can test your configuration by going ahead and opening up the SARG schedule and clicking Force update now. Then check Status - System Logs and it should show any errors if SARG is having an issue.

    If it works, you should see updated reports.