Splunk® Supported Add-ons

Splunk Add-on for Squid Proxy

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Configure monitor input for the Splunk Add-on for Squid Proxy

You need to configure the Splunk platform to monitor the access log file generated by the Squid Proxy server. You can use either Splunk Web to create the monitor input or configure inputs.conf directly.

Configure Monitoring through Splunk Web

Configure a file monitoring input on your data collection node for the Squid Proxy server access.log file.

  1. Log into Splunk Web.
  2. Select Settings > Data inputs > Files & directories.
  3. Click New.
  4. Click Browse next to File or Directory.
  5. Navigate to the access.log file generated by the Squid Proxy server and click Next. The default location for access.log is /usr/local/squid/var/logs/access.log.
  6. Next to Source type, click Select to select the source type definition provided in the add-on.
  7. Click Select Source Type and select Network & Security.
  8. Enter the sourcetype based on the logformat configured in your Squid environment.
    1. If you configured the default squid logformat, type squid:access.
    2. If you configured Splunk's recommended custom format splunk_recommended_squid logformat, typesquid:access:recommended.
  9. Click Review.
  10. After you review the information, click Submit.

Configure inputs.conf

You can create an inputs.conf file and configure the monitor input in this file instead of using Splunk Web.

1. Using a text editor, create a file named inputs.conf in the $SPLUNK_HOME/etc/apps/Splunk_TA_squid/local folder.

2. Add the following stanza and lines, replacing <path> with the actual path to access.log depending on the logformat configured in your squid environment, and save the file.

  • If you configured the default squid logformat, add the following stanza:
[monitor://<path>]
sourcetype=squid:access
disabled = 0
  • If you configured Splunk's recommended custom format splunk_recommended_squid logformat, add the following stanza:
[monitor://<path>]
sourcetype=squid:access:recommended
disabled = 0

Note: The default location of access.log is /usr/local/squid/var/logs/access.log.

3. Restart the Splunk platform for the new input to take effect.

Validate data collection

After you configure monitoring, run this search to check that you are ingesting the data that you expect.

sourcetype=squid:access*

Last modified on 04 December, 2023
PREVIOUS
Configure Squid Proxy access log
  NEXT
Troubleshoot the Splunk Add-on for Squid Proxy

This documentation applies to the following versions of Splunk® Supported Add-ons: released


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters