access.log (squid) file, adding Logins

mizard · 09-25-2005, 10:27 PM

Hello! This is my first post here.
Sorry for my English.

I need your help, guys.

My access.log (squid) file contains IP's, http's etc, but I need Logins and Computer Names too.
How can I do this? How can I add these parameters?

Please, help!

mizard · 09-26-2005, 03:48 AM

Guys, please help!
It's ordinary squid proxy server.

deoren · 09-26-2005, 05:52 AM

I don't know about your setup, but on a FC1 and a Gentoo box it logs connections from users that have authenticated via proxy_auth. In my case I use LDAP to authenticate them.

I then use sarg to process access.log and generate reports of the traffic.

Have you altered the squid config file much from the original?

mizard · 09-26-2005, 10:32 PM

Quote:

Originally posted by deoren
I don't know about your setup, but on a FC1 and a Gentoo box it logs connections from users that have authenticated via proxy_auth. In my case I use LDAP to authenticate them.

I then use sarg to process access.log and generate reports of the traffic.

Have you altered the squid config file much from the original?

deoren , thank you very much for your answer!
So, your squid access.log file contains and Logins and Hostnames?
If so, how you did it?
(My Linux is RHEL4)
There is a lot to edit. Can you say, what exactly you did? What kind of proxy_auth I need to use to see and Logins and Hostnames in my squid access.log file?

deoren · 09-27-2005, 07:45 AM

The very first thing I would recommend doing is getting a copy of Squid The Definitive Guide. I am reading it to help me setup an installation of squid for a small lab setting.

It's ISBN # is 0596001622. I would recommend Half.com or Amazon.com's Marketplace for a good price.

I've setup logging of hostnames in squid by searching for

Quote:

TAG: log_fqdn on|off

in squid.conf and adding

Code:

log_fqdn on

below all of the comments. As the comments say though, this may slow access speed as squid has to lookup each connecting system.

I'm likely to turn this off in the future once I research a program similar to Apache's logresolve. This will let me resolve the ip addresses before any log analyzers get a hold of it. Because squid would not be doing the dns resolution during access it would speed up requests as well.

Of course for that to work you need your nameserver (mentioned in /etc/resolv.conf of the squid box) to support ip->name lookups.

Lastly, for adding your own rules do a search for

Quote:

INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS

and scroll down. In the squid.conf file for a Gentoo install the first rule after that was

Code:

http_access allow localhost

. I left it and added something like the following (different directory structure):

Code:

# Authenticate against OpenLDAP directory.  Make sure to chmod 600 the pass file
auth_param basic program /usr/lib/squid/squid_ldap_auth -b "ou=users,dc=example,dc=com" 127.0.0.1 -D uid=squidquery,ou=DSA,dc=example,dc=com -W /etc/squid/squid_query.conf -v 3
auth_param basic children 10
auth_param basic realm Squid Proxy Server
auth_param basic credentialsttl 1 hour

# Require that users authenticate in order to use Proxy
acl Authenticated proxy_auth REQUIRED
http_access allow Authenticated

Code:

man squid_ldap_auth

will tell you the different options for the ldap helper. Now you should see the login names and hostnames for your environment. As mentioned previously, resolving hostnames right before or during the log analysis phase should result in less latency for proxy requests.

Last but not least, chapter 12 covers the different helpers for proxy authentication.