Configure Squid Proxy access log
The Splunk Add-on for Squid Proxy monitors the access log file generated by the Squid Proxy server. The default location of the access log file is /usr/local/squid/var/logs/access.log
or /var/log/squid/access.log
. To change the location of the access log, see the documentation at http://www.squid-cache.org/Doc/config/access_log. For more information about the access log, see http://wiki.squid-cache.org/SquidFaq/SquidLogs#access.log.
Configure logs for sourcetype=squid:access:recommended
The Squid access log is highly customizable, so Splunk has created a new custom format that contains most of the important and recommended fields that Squid Proxy can provide. Below is the splunk_recommended_squid
format:
logformat splunk_recommended_squid %ts.%03tu logformat=splunk_recommended_squid duration=%tr src_ip=%>a src_port=%>p dest_ip=%<a dest_port=%<p user_ident="%[ui" user="%[un" local_time=[%tl] http_method=%rm request_method_from_client=%<rm request_method_to_server=%>rm url="%ru" http_referrer="%{Referer}>h" http_user_agent="%{User-Agent}>h" status=%>Hs vendor_action=%Ss dest_status=%Sh total_time_milliseconds=%<tt http_content_type="%mt" bytes=%st bytes_in=%>st bytes_out=%<st sni="%ssl::>sni"
To configure the Splunk recommended logformat splunk_recommended_squid
:
- Open
squid.conf
to edit. - Copy and paste the example format block to
squid.conf
along with the other default logformats. - Set the directive to use the logformat you provided in
squid.conf
. Navigate toaccess_log daemon:<your log location till access.log>
and point it to the new recommended format:
access_log daemon:<your log location till access.log> splunk_recommended_squid
- Save
squid.conf
. - Restart the squid server.
Configure logs for sourcetype=squid:access
The Splunk Add-on for Squid Proxy supports the default format "squid", however, this format lacks several important fields that are covered in the custom format described in this topic.
PREVIOUS Install the Splunk Add-on for Squid Proxy |
NEXT Configure monitor input for the Splunk Add-on for Squid Proxy |
This documentation applies to the following versions of Splunk® Supported Add-ons: released
Feedback submitted, thanks!