Squid log analysis using sarg
<yambe:breadcrumb>Squid_proxy_server_configuration|Squid</yambe:breadcrumb>
squid log analysis using sarg
Manual installation of sarg
To install sarg manually use following steps:
- Install following packages from base, updates repositories:
- yum -y install gcc gd gd-devel make perl-GD wget httpd pcre-devel
- Download latest sarg code from http://sourceforge.net/projects/sarg/files/latest/download
- At time of this writing 2.3.9 was found to work and 2.3.10 was failing on CentOS-6.x
- Extract code and use ./configure; make; make install
- Edit /usr/local/etc/sarg.conf and set following values:
- access_log /var/log/squid/access.log
- output_dir /var/www/html/sarg-reports
- date_format e
- overwrite_report yes
- Generate one time report using sarg -x
- Run sarg over cron using:
- 15 1 * * * /usr/local/bin/sarg -x >/dev/null 2>&1
- Restrict access to sarg by creating '/etc/httpd/conf.d/sarg.conf with
- <Location /sarg-reports>
- Options All
- AllowOverride All
- Order deny,allow
- Allow from 10.3.1.2
- Deny from all
- </Location>
-
- Here replace 10.3.1.2 with admin networksg
Some of the steps are contributed by Kiran Kollipara.
sarg setup on CentOS 7.0
Compared to above steps on CentOS 7.0 use following additional steps:
- Edit /usr/local/squish/squish.pl and change reload command to:
- systemctl reload squid
- Edit /etc/httpd/conf.d/apache-squish.conf to have
- Require all granted
Sarg daily, weekly, monthly reports
By default sarg generates one report for each day or for a particular log file. It is more practical to look at weekly or monthly usage to understand Internet usage pattern of users. Thus, it might be desirable to have weekly and monthly reports along with daily reports. To setup sarg for multiple interval reports use:
/usr/local/bin/sarg -x -d month-0 -o /var/www/html/monthly-reports -l /var/log/squid/access.log*
/usr/local/bin/sarg -x -d week-0 -o /var/www/html/weekly-reports -l /var/log/squid/access.log*
/usr/local/bin/sarg -x -d day-0 -o /var/www/html/daily-reports -l /var/log/squid/access.log*
for monthly, weekly and daily reports. These are one-time commands. To run them periodically using cron use following cron settings:
15 22 * * * /usr/local/bin/sarg -x >/dev/null 2>&1 15 23 * * * /usr/local/bin/sarg -x -d month-0 -o /var/www/html/monthly-reports -l /var/log/squid/access.log* 15 0 * * * /usr/local/bin/sarg -x -d week-0 -o /var/www/html/weekly-reports -l /var/log/squid/access.log* 15 1 * * * /usr/local/bin/sarg -x -d day-0 -o /var/www/html/daily-reports -l /var/log/squid/access.log*
where more details about '-d' option can be learned from sarg man page.
Further these different reports can be linked together by one top level HTML file such as :
<html>
<head>
<title>Purpletalk sarg reports</title>
<head>
<body>
Different types of reports:
<ul>
<li> <a href="daily-reports" target="_blank">Daily reports</a> </li>
<li> <a href="weekly-reports" target="_blank">Weekly reports</a> </li>
<li> <a href="monthly-reports" target="_blank">Monthly reports</a> </li>
<li> <a href="sarg-reports" target="_blank">Default reports</a> </li>
</ul>
</body>
</html>
Refer http://www.linuxquestions.org/questions/linux-server-73/sarg-monthly-report-on-squid-server-927079/
<yambe:breadcrumb>Squid_proxy_server_configuration|Squid</yambe:breadcrumb>
