Re: Squid/SquidGuard Access/Block Logging

Fri, 22 Sep 2006 05:59:06 -0700

Yeah that's what I was saying about the 200 status. Doesn't make sense to me.

The TCP_MISS is given when the site isn't found in the proxy's cache.

- Ryan

On 9/21/06, Scott Phillips <[EMAIL PROTECTED]> wrote:
huh??  Why would a 200 status request end up in the block log?  200
means it was served successfully.

I guess we need to know exactly what that TCP_MISS message is about
from squid.  Let me look into it and get back to you; I'm very very
noob to squid and squidguard.

At 05:04 PM 9/21/2006, you wrote:
>Welp, I thought you had it nailed:
>
>Blocked.log
>2006-09-21 17:00:03 [1942] Request(ryantest/ryantest/-)
>< http://www.google.com/>http://www.google.com/
><http://10.1.1.177/->10.1.1.177/- - GET
>
>Access.log
>1158872403.141     12 <http://10.1.1.177>10.1.1.177 TCP_MISS/200
>1258 GET <http://www.google.com/ >http://www.google.com/ -
>DIRECT/192.168.0.20 text/html
>1158872403.186      7 <http://10.1.1.177> 10.1.1.177 TCP_MISS/200
>1615 GET
><http://192.168.0.20/images/logo.jpg>http://192.168.0.20/images/logo.jpg
>- DIRECT/192.168.0.20 image/gif
>
>I'll checkout some squid configuration options and see what else is
>available. The reason this is so important is because I am trying to
>report on allowed website access (usage) using the access.log file
>and I am getting records showing up as access when they are really
>blocked (like above).
>
>- Ryan
>
>
>On 9/21/06, Ryan Greenier <
><mailto: [EMAIL PROTECTED]>[EMAIL PROTECTED]> wrote:
>Great idea, thanks for the help!
>
>- Ryan
>
>
>On 9/21/06, Scott Phillips <<mailto: [EMAIL PROTECTED]>
>[EMAIL PROTECTED] > wrote:
>Greetings Ryan,
>
>At 03:13 PM 9/21/2006, you wrote:
> >To me, it isn't really access if it is being denied by squidGuard.
>
>I agree, but the squid / squidguard achitecture isn't really able to
>tell the difference, at least not explicitly.  The squid log is sort
>of like a "any request that I process, regardless of the outcome"
>log.  The squidguard log acts more like a "requests that were
>specifically denied" log.  If you really want to see "accesses" in
>the sense of a site that was allowed to be accessed (i.e., not denied
>by squidGuard) then consider grep'ing your squid.log log to exclude
>requests that resulting in 304 statuses.
>
># cat /var/log/squid/squid.log | grep -v 'TCP.*304 '
>
>Your understanding is correct that it's a bit redundant to be logging
>rejections in both squid and squidguard.  Maybe there's an option in
>squid to not log 304 statuses?
>
>Cheers,
>--Scott!
>
>


Reply via email to