Log Types: SquidProxyLog (WebLog)
Overview
Squid is a web proxy server that is capable of logging data in a variety of formats. In general the EPILOG agent for unix will be configured to forward squid proxy log data to the Snare Server.
The Squid proxy log module will push events to the 'WebLog' table, with a 'LogType' defined as 'ProxySvr'.
Collection
Squid proxy logs are generally sent to the Snare Central server via the Epilog for Unix (or Windows) agents.
Squid logs (in the default squid log format) can also be transferred to the directory /data/SnareCollect/SquidProxyLog via FTP using the user 'snarexfer'. Logs will be processed daily, at around midnight.
Sample Events
myProxyServer SquidProxyLog 0 10.0.0.2 - - [17/Mar/2003:18:03:08 +1100] "GET http://www.blah.com/images/org_background.gif HTTP/1.0" 200 2321 "http://10.0.0.3/login.php" "Mozilla/5.0 Galeon/1.2.7 (X11; Linux i686; U;) Gecko/20021203
Fields
Field | Description |
|---|---|
DATE | Event date, in the format YYYY-MM-DD |
TIME | Event time, in the format HH:MM:SS |
SYSTEM | The source system |
TABLE | WebLog |
HOSTNAME |
|
USERNAME | If available, the authenticated username requesting access to the data. |
URL | Universal resource locator - the web address of the resource being accessed. |
RETURNCODE | Return code of the access request |
BYTES | The number of bytes transferred |
REFERRER | The referrer page |
AGENT | The browser information provided by the client |
PROTOCOL | HTTP, HTTPS, FTP, GOPHER, and so on |
LOGTYPE | IIS, Apache, IIS, Squid, ISA, and other logs are currently all pushed to a consolidated 'WebLog' table. This field allows us to separate web server logs from proxy logs. |
CATEGORY |
|
STRINGS | All other data in the event will be pushed to this field. |
Notes
The Squid proxy log data will be sent to the ‘WebLog’ table to facilitate easy correlation with other proxy servers.