Logging, Syslog and Log Anaylsys Forums
March 13, 2010, 06:03:31 pm *
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
News:
   Home   WIKI BLOG Help Search Recent Topics GoogleTagged Login Register  
Pages: [1]
« previous next »
  Print  
Author Topic: syslog-ng and squid (remove extra data...)  (Read 1868 times)
symedeot
Newbie
*
Offline Offline

Posts: 2


View Profile
« on: May 27, 2009, 03:35:51 am »
Hi,

I moved to syslog-ng to centralize squid server logs and it's working great.

But I still have one issue and can't find a way to solve it :

The standard logs looks like this :
192.168.3.68 - - [27/May/2009:10:28:54 +0200] "CONNECT particuliers.secure.lcl.fr:443 HTTP/1.0" 200 30934 TCP_MISS:DIRECT

but with syslog_ng the program name and pid are added at the beginning of the log.

squid[4393]: 192.168.3.68 - - [27/May/2009:10:28:54 +0200] \"CONNECT particuliers.secure.lcl.fr:443 HTTP/1.0\" 200 30934 TCP_MISS:DIRECT

It is a problem since I use squid log analyzers and they won't work with these extra data...

my syslog_ng.conf :
filter f_squid { program("squid"); };

destination ndf_squid {
        file("/home/squidlog/$HOST/$YEAR/$MONTH/$DAY/access.log" template("$MSG\n")
        owner("root")
        group("proxy")
        perm(0600)
        create_dirs(yes));
};

log {
        source(s_all);
        filter(f_squid);
        destination(ndf_squid);
};

my squid.conf syslog details :
access_log /var/log/squid/access.log common    # logging to file, works well
access_log syslog:daemon common                   # logging to syslog, add extra info

Any help welcome,

Regards,

Sylvain
Logged
mutex
Administrator
Newbie
*****
Offline Offline

Posts: 895


View Profile
« Reply #1 on: May 28, 2009, 08:24:06 pm »
try this:
Code:
filter f_squid { program("squid"); };

destination ndf_squid {
        file("/home/squidlog/$HOST/$YEAR/$MONTH/$DAY/access.log" template("$MSG\n")
        owner("root")
        group("proxy")
        perm(0600)
        create_dirs(yes));
        template(t_test);
};

log {
        source(s_all);
        filter(f_squid);
        destination(ndf_squid);
};
template t_test { template("${MONTH} ${DAY} ${HOUR}:${MIN}:${SEC} ${HOST}: ${MSG}\n");  template_escape(no); };
Logged
symedeot
Newbie
*
Offline Offline

Posts: 2


View Profile
« Reply #2 on: May 29, 2009, 03:59:18 am »
Hi,

Many thanks but it is still the same...

I get this :

05 29 10:54:42 proxy: squid[5198]: 192.168.3.69 - - [29/May/2009:10:54:42 +0200] "GET http://www.cinemapassion.com/covers_temp/covers3/Les_aventures_de_Winnie_l_ourson___SLIM-11211114012009.jpg HTTP/1.1" 304 398 TCP_MISS:DIRECT

I found a partial solution using sed prior to run the log analyser :
sed "s/squid\[.*\]: //g" access.log | sed '/^$/d' > test

The resulting file test is then ok.

If you have any other idea...

Regards,

Sylvain
Logged
mutex
Administrator
Newbie
*****
Offline Offline

Posts: 895


View Profile
« Reply #3 on: June 10, 2009, 12:09:32 pm »
If you are feeling adventurous, try adding the "store-legacy-msghdr" to the source statement.
Logged
Pages: [1]
  Print  

« previous next »
 
Jump to:  

Information Security News | Jerry Bell's blog | Enterprise IT | Tropical Fish Information | Tropical Fish Forums
Powered by MySQL Powered by PHP Powered by SMF 1.1.11 | SMF © 2006-2009, Simple Machines LLC | Sitemap Valid XHTML 1.0! Valid CSS!