• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Problem with Sarg application

Scheduled Pinned Locked Moved pfSense Packages
5 Posts 3 Posters 3.1k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • P
    peruvichito2014
    last edited by Jun 29, 2014, 3:12 PM

    Hi Gurus

    I downloaded the following application (Sarg - 2.3.6_2 pkg v.0.6.3) and I set with these parameters:

    Label "General"
    In the Proxy Server I select squid option

    Report Options: Use Graphics where is possible
    Convert IP address to dns name
    Generate the Index tre by file
    Overwrite report
    Show ful url in report

    Report to Generate
    Topusers - User, site, times, bytes, connects, links to accessed sites etc
    Topsites - site, connect and byte report
    site_user - users and site report
    date_time - bytes used per day and hour report

    Date Format :  Weekly yy.ww

    Report Charset Latin2 - East European
    The rest of the other parameters, I leave its by default"

    Label "Schedule"
    Check in "enable" Options
    Sarg args " -d date +%d/%m/%Y  "
    Frecuency "5m"
    Action after sarg "None(default)"
    Compress Options
    Check in "Enable Compression"
    The rest of the other parameters, I leave its by default"

    By in the log I observe these messages:

    Jun 29 09:55:01 php: sarg.php: The command 'export LC_ALL=C && /usr/pbi/sarg-i386/bin/sarg -d date +%d/%m/%Y' returned exit code '1', the output was 'SARG: Unknown sort criterion "SITE" for parameter "topuser_sort_field"'
    Jun 29 09:55:01 php: sarg.php: Sarg: force refresh now with -d date +%d/%m/%Y args, compress(on) and none action after sarg finish.
    Jun 29 09:50:00 php: sarg.php: The command 'export LC_ALL=C && /usr/pbi/sarg-i386/bin/sarg -d date +%d/%m/%Y' returned exit code '1', the output was 'SARG: Unknown sort criterion "SITE" for parameter "topuser_sort_field"'
    Jun 29 09:50:00 php: sarg.php: Sarg: force refresh now with -d date +%d/%m/%Y args, compress(on) and none action after sarg finish.

    and I can not obtain any report

    What was wrong?, any suggestion  / comment?

    1 Reply Last reply Reply Quote 0
    • K
      KOM
      last edited by Jul 2, 2014, 1:38 PM

      I've never been able to get Sarg reports working.  The realtime view seems to work well enough, but not reports.

      1 Reply Last reply Reply Quote 0
      • K
        Kratos
        last edited by Jul 2, 2014, 2:29 PM

        Usually this fixes SARG for me:

        Under the Status Menu – click SARG Reports.
        On the General tab click Save
        Next click on the Users tab and click Save
        Click Schedule and create your schedule or if you have one already open it up and click Save.
        You can go back to the Schedule and Force Update to see if SARG Reports are working now.

        I also schedule SARG Reports in Cron to run at 11:50pm every night instead of midnight.

        50 23 */1 * *

        The last version is not looking for the Squid Access log correctly, so check this first:

        The solution is to edit the sarg.conf file that is located in one of these locations, depending on your pfsense build:

        /usr/pbi/sarg-amd64/etc/sarg/sarg.conf
        /usr/pbi/sarg-i386/etc/sarg/sarg.conf

        You will need to verify that the access_log line is correct:

        #access_log /usr/local/squid/var/logs/access.log

        In my case, removing the # sign and specifying the correct path to my Squid access.log corrected the problem.

        1 Reply Last reply Reply Quote 0
        • P
          peruvichito2014
          last edited by Jul 3, 2014, 3:52 PM

          Hi Kratos
          I Review your comment and others in this excellent forum
          First recommendation
          I copied the file "index.html" from /usr/local/sarg-reports/2014/07/02/ to /usr/local/sarg-reports/. After that I observe That appear this option in the report View Report
          See picture 1 - View Report

          Second
          I following your comment:

          Under the Status Menu – click SARG Reports.
          On the General tab click Save
          Next click on the Users tab and click Save
          Click Schedule and create your schedule or if you have one already open it up and click Save.
          You can go back to the Schedule and Force Update to see if SARG Reports are working now.

          I find this file in this path
          [2.1.3-RELEASE][admin@x.x.x.x]/root(2): find / -type f -name "access.log"
          /var/log/dansguardian/access.log
          /var/squid/logs/access.log;  So I am using only squid logs

          So when I review in Real Time this file:

          [2.1.3-RELEASE][admin@x.x.x.x]/root(3): tail -f /var/squid/logs/access.log
          I observe that the logs  in this file is fuction correctly:
          1404401777.571  69031 192.168.1.71 TCP_MISS/200 79066 CONNECT www.google.com.pe:443 - DIRECT/74.125.131.94 -
          1404401777.571  62470 192.168.1.71 TCP_MISS/200 49218 CONNECT www.google.com.pe:443 - DIRECT/74.125.131.94 -
          1404401777.571  58642 192.168.1.71 TCP_MISS/200 54571 CONNECT apis.google.com:443 - DIRECT/74.125.229.192 -
          1404401777.571  62074 192.168.1.71 TCP_MISS/200 57318 CONNECT www.gstatic.com:443 - DIRECT/190.113.193.117 -
          1404401777.571  62244 192.168.1.71 TCP_MISS/200 140002 CONNECT www.google.com.pe:443 - DIRECT/74.125.131.94 -
          1404401777.571  59832 192.168.1.71 TCP_MISS/200 4569 CONNECT www.google.com:443 - DIRECT/74.125.131.103 -
          1404401777.571  62316 192.168.1.71 TCP_MISS/200 4876 CONNECT ssl.gstatic.com:443 - DIRECT/190.113.193.117 -
          …....
          ......

          In sarg.conf file the "access.log" is addressed correctly:
          [2.1.3-RELEASE][admin@x.x.x.x]/root(2): grep "access_log" /usr/pbi/sarg-i386/etc/sarg/sarg.conf

          TAG:  access_log file

          access_log /var/squid/logs/access.log

          TAG: realtime_access_log_lines num

          realtime_access_log_lines 1000

          [2.1.3-RELEASE][admin@x.x.x.x]/root(3):

          But In my Report I don't observe any info, what will be the Problem?. What wrong I am doing????

          I appreciate your suggestion /recommendation

          ![View Report.jpg](/public/imported_attachments/1/View Report.jpg)
          ![View Report.jpg_thumb](/public/imported_attachments/1/View Report.jpg_thumb)
          ![Report 01-07-2014.jpg](/public/imported_attachments/1/Report 01-07-2014.jpg)
          ![Report 01-07-2014.jpg_thumb](/public/imported_attachments/1/Report 01-07-2014.jpg_thumb)

          1 Reply Last reply Reply Quote 0
          • K
            Kratos
            last edited by Jul 7, 2014, 8:42 PM

            I don't use Dansguardian, so I am not sure if you have to configure SARG for either Dansguardian or Squid. You probably don't want to configure it for both.

            My guess, is that your configuration is correct now, cause you have an index that shows up and the realtime works.

            If you look under:

            • Services - Proxy: Log rotate (this setting will conflict with SARG)
              Status - SARG Reports - Schedule - Schedule Options - Action after sarg

            From what I read, you should leave Squid to not rotate logs at all and have SARG do it instead.

            Or you can modify the CRON job for SARG so it runs right before Squid rotates logs.

            If you leave Squid rotating logs, what happens is that at midnight, it will restart and zero out the acess.log, so when SARG tries to read the access.log it will be empty, producing a blank report.

            You can test your configuration by going ahead and opening up the SARG schedule and clicking Force update now. Then check Status - System Logs and it should show any errors if SARG is having an issue.

            If it works, you should see updated reports.

            1 Reply Last reply Reply Quote 0
            5 out of 5
            • First post
              5/5
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
              This community forum collects and processes your personal information.
              consent.not_received