Splunk® Supported Add-ons

Splunk Add-on for Squid Proxy

Configure Squid Proxy access log

The Splunk Add-on for Squid Proxy monitors the access log file generated by the Squid Proxy server. The default location of the access log file is /usr/local/squid/var/logs/access.log or /var/log/squid/access.log . To change the location of the access log, see the documentation at http://www.squid-cache.org/Doc/config/access_log. For more information about the access log, see http://wiki.squid-cache.org/SquidFaq/SquidLogs#access.log.

Configure logs for sourcetype=squid:access:recommended

The Squid access log is highly customizable, so Splunk has created a new custom format that contains most of the important and recommended fields that Squid Proxy can provide. Below is the splunk_recommended_squid format: 

logformat splunk_recommended_squid %ts.%03tu logformat=splunk_recommended_squid duration=%tr src_ip=%>a src_port=%>p dest_ip=%<a dest_port=%<p user_ident="%[ui" user="%[un" local_time=[%tl] http_method=%rm request_method_from_client=%<rm request_method_to_server=%>rm url="%ru" http_referrer="%{Referer}>h" http_user_agent="%{User-Agent}>h" status=%>Hs vendor_action=%Ss dest_status=%Sh total_time_milliseconds=%<tt http_content_type="%mt" bytes=%st bytes_in=%>st bytes_out=%<st sni="%ssl::>sni"

To configure the Splunk recommended logformat splunk_recommended_squid:

  • Open squid.conf to edit.
  • Copy and paste the example format block to squid.conf along with the other default logformats.
  • Set the directive to use the logformat you provided in squid.conf. Navigate to access_log daemon:<your log location till access.log> and point it to the new recommended format:
access_log daemon:<your log location till access.log> splunk_recommended_squid
  • Save squid.conf.
  • Restart the squid server.

Configure logs for sourcetype=squid:access

The Splunk Add-on for Squid Proxy supports the default format "squid", however, this format lacks several important fields that are covered in the custom format described in this topic.

Last modified on 04 December, 2023
Install the Splunk Add-on for Squid Proxy   Configure monitor input for the Splunk Add-on for Squid Proxy

This documentation applies to the following versions of Splunk® Supported Add-ons: released

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters