SARG Q1: Report only of the last hour? Q2: Correlation user+time+website?



  • Hello,

    I have two questions using SARG and squid.

    SARG generates every hour a report of the actual day. I have "overwrite reports" enabled. Using this command:

    TODAY:  -d `date +%d/%m/%Y`
    

    This is working as expected. So I get every hour an actual report of the actual day. This is OK.

    Question 1:
    Is it possible to get a separte report which shows me the websites the user(s) connected between specific hours. So I want a report which only shows the reports between 0900-0959 and between 1000-1059. With the SARG arguments above and disabled "overwrite reports" I got an hourly report but this report contains everything from the beginning of the say. So like 0000-0859 and the next report from 0000-0959. So I would appreciate any suggestions or corrections if I did configure or understand something wrong.

    Question 2:
    I am not able to find a statistic where I can exactly see which user(s) accessed which website at a specific timerange. So I want to see that one user accessed www.google.com at 091:10am, 0935am and so on. The reason why I am interested in this statistic is because I want to know why a snort alert was generated. I want to see which websites were accessed at this time by a specific user to find out if it was the website the user accessed generated the alert or if it was some "adware banner" or something crosslinked on the page which generated the alert.

    Thank you for your suggestions and your help!



  • @Nachtfalke:

    Question 1:

    Is it possible to get a separte report which shows me the websites the user(s) connected between specific hours. So I want a report which only shows the reports between 0900-0959 and between 1000-1059. With the SARG arguments above and disabled "overwrite reports" I got an hourly report but this report contains everything from the beginning of the say. So like 0000-0859 and the next report from 0000-0959. So I would appreciate any suggestions or corrections if I did configure or understand something wrong.

    Will work only if you rotate the log without "overwrite reports" checked.

    Question 2:
    I am not able to find a statistic where I can exactly see which user(s) accessed which website at a specific timerange. So I want to see that one user accessed www.google.com at 091:10am, 0935am and so on. The reason why I am interested in this statistic is because I want to know why a snort alert was generated. I want to see which websites were accessed at this time by a specific user to find out if it was the website the user accessed generated the alert or if it was some "adware banner" or something crosslinked on the page which generated the alert.

    'sites and users' reports show who accessed the site but it does not include a time colum. but if you click on the user, sarg will redirect you to client day report.


Log in to reply