On Thursday 21 September 2006 21:13, you wrote: > I have a Squid/SquidGuard machine setup and of course has various sites > allowed/denied. When a site is hit, Squid logs the hit to > /var/log/access.log and if it is denied, it logs to > /var/log/squidGuard/blocked.log and also logs to /var/log/squid/access.log. > My question is, should this happen? Should it only log to access.log if it > is allowed through? To me, it isn't really access if it is being denied by > squidGuard.
This is by design. Squid logs to its own access.log, in your case /var/log/access.log SquidGuard logs to its own log, in your case /var/log/squidGuard/blocked.log Squid is not logging the blocked site, Squid is logging the request to the site by the client (it has no idea it is being redirected), SquidGuard is logging the site it has blocked. Example from our own logs. Squid logs this: xxx.xxx.xxx.180 userid [22/Sep/2006:08:18:19 +0200] "GET http://www.playboy.com/favicon.ico HTTP/1.1" 200 2116 TCP_MEM_HIT:NONE SquidGuard logs this: 2006-09-22 08:18:19 [8764] Request(default/porn/-) http://www.playboy.com/ xxx.xxx.xxx.180/myhostname userid GET So Squid assumes it is accessing playboy.com for the user "userid", SquidGuard logs that the request made by the user "userid" from a certain workstation to access playboy.com has been blocked for the acl "default", because the site was found in the "porn" blacklist. HTH, Joop Beris
