> I was looking at the normal squid log... Of the four Squid logs (cache_access_log, cache_log, cache_store_log, & cache_swap_log), I believe we are talking about the cache_access_log.
> yes, I have "emulate_httpd_log" activated. Understood. > I was having squidGuard log these porn attempts > but I didn't really find that useful (well, not yet, > anyway). You didn't find the squidGuard log useful **for what**? What are trying to accomplish? Do you want a report showing who keeps trying to access the porn sites? The time of day that seems to have the most porn attempts? The number of porn attempts stopped by day? Are you just trying to validate that squidGuard is working like you think it is? What are you trying to accomplish? It may be that the squidGuard log is not useful for you because of the way you've set up your squidGuard.conf, for example: ## SquidGuard can log to a different log file for each destination group (porn.log, drugs.log, etc), but it won't do that if you don't have a redirect inside each destination group definition. ## SquidGuard can log the ip, user id, group, or host name of the user that is redirected, but it won't do that if you don't define your source groups properly. We could probably help with that if we knew what you are trying to accomplish, and if we were able to look at your squidGuard.conf file. > webtrends is the log analysis tool used here, and > the common log format seems to emulate our current > logging format (we're currently using Netscape proxy > server). Understood. Just remember that an emulation will always be a compromise. There is a good possibility that you will receive less information from Squid in emulate_httpd_log mode than would be available in native format. > While I'm not out of the woods yet, I'm seeing > the light at the end of the tunnel. Here's hoping that it's not a train. ;-) Rick -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Chris Lundell Sent: Tuesday, December 04, 2001 2:44 PM To: Rick Matthews Cc: Squidguard Mailing List Subject: Re: help on redirects Rick, I was looking at the normal squid log - yes, I have "emulate_httpd_log" activated. I was having squidGuard log these porn attempts but I didn't really find that useful (well, not yet, anyway). webtrends is the log analysis tool used here, and the common log format seems to emulate our current logging format (we're currently using Netscape proxy server). My original predicament was trying to create a "403 Forbidden error", even though the squid log file *appeared* to be showing that the site in question was actually reached (hence "DIRECT"). I soon discovered that I was looking in the wrong place in the log file (much like in the first "Indiana Jones" movie, when the bad guys were "looking in the wrong place" for the ark). I should have looked at the status number in the log file and once I played with CGI::pm, the status "403" was showing up in the log file. While I'm not out of the woods yet, I'm seeing the light at the end of the tunnel. Using squidGuard is really great. Thank you for the kind and supportive responses. :) Chris Rick Matthews wrote: > > Chris, > > I'm glad you are getting things figured out. > > > 1. I was looking at the wrong portion of the log output > > (I should have looked at the "status" portion, which is > > the output directly after the "method URL" part (in the > > common log file format, that is). > > You didn't respond to my question about which log file you were viewing. > You did mention "common log file format", so I'll guess that you are > looking at the /squid/access.log, and that your squid.conf file contains > "emulate_httpd_log on". > > I've never used the emulate_httpd_log switch. There is a list of Squid > log file analysis tools here: <http://www.squid-cache.org/Scripts/>. You > didn't mention what you are trying to accomplish, but I've found > Calamaris to be very useful. Anytime you ask something to act like > something else you run the risk of losing information in the > translation. You might want to see if the native log file format will > meet your needs. > > You'll get help for some Squid issues here, but keep in mind, this is a > squidGuard mailing list, not Squid. > > Rick > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Chris > Lundell > Sent: Tuesday, December 04, 2001 8:37 AM > To: Rick Matthews > Cc: Squidguard Mailing List > Subject: Re: help on redirects > > Hello Rick, > > Thanks for writing back - I *think* I figured things out: > > 1. I was looking at the wrong portion of the log output (I should have > looked at > the "status" portion, which is the output directly after the "method > URL" part > (in the common log file format, that is). > 2. I ended up using CGI.pm in my script and modifed the header status > using the > "redirect" method with the "-status" argument (i.e., > "$query->redirect( -status > => "403 Forbidden" )";). > > This is all based on the assumption that > > 192.168.100.15 clundell - [04/Dec/2001:09:22:28 -0500] "GET > http://www.porn.com/ > HTTP/1.0" 403 584 TCP_CLIENT_REFRESH_MISS:DIRECT > > will be logged as a "denied" hit and not a hit which was allowed > (because of > "DIRECT" at the end). > > Is this a correct assumption? Thanks again for writing ;). > > Chris > > Rick Matthews wrote: > > > > Hi, I'd be glad to help with your questions but it's not clear to me > > what you are asking. > > > > > 1. How can a redirection (in this case, a CGI script) > > > specifically state a 403 error and not simply a redirection > > > (even though squidGuard acts as a redirection)? > > > > Are you asking *how* to go about getting your redirection to do this? > Or > > are you asking *why* is your redirection doing this? Please post your > > squidGuard.conf so we can see what you are trying to do. > > > > > The log > > > file indicates that the forbidden url was actually reached, > > > when actually it was simply redirected. > > > > Which log is showing that the forbidden url was reached? > > > > > 2. Is it possible not to log these attempts? > > > > Are we still talking about the attempt you mentioned above that was > > successful? Do you not want to log the *successful* ones or the > > *unsuccessful* ones? > > > > Is it possible to not log them *where* (which log file)? > > > > I'll be watching for your reply with answers to these questions. We'll > > have you cooking in no time! > > > > Rick > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED]]On Behalf Of Chris > Lundell > > Sent: Monday, December 03, 2001 1:26 PM > > To: [EMAIL PROTECTED] > > Subject: help on redirects > > > > Hello, > > > > I'm just about finished configuring squidGuard and I have a stumbling > > block: > > > > 1. How can a redirection (in this case, a CGI script) > specifically state > > a 403 > > error and not simply a redirection (even though squidGuard acts as a > > redirection)? The log file indicates that the forbidden url was > > actually > > reached, when actually it was simply redirected. > > 2. Is it possible not to log these attempts? > > > > Thank you, > > Chris > > -- > Chris -- Chris
