Usually, it's pretty hard to analyze information from the squid log file. For example, I don't know how to analyze date or number of hits from /var/log/squid/access.log. If someone needs to analyze which websites are being accessed from the network, SARG may be a very good tool. SARG, or Squid Analysis Report Generator (http://sarg.sourceforge.net) analyzes the log, and generates a web based table where one can easily analyze proxy traffic.
Although SARG can be installed using YUM, I have faced problems with CentOS 6. So, I went for tarball installation instead. And believe, it's really easy unlike many tarball installtions.
So, let's start:
[root@busy-bee2 ~]# yum install gcc make wget httpd
[root@busy-bee2 ~]# wget http://sourceforge.net/projects/sarg/files/sarg/sarg-2.3.1/sarg-2.3.1.tar.gz/download
[root@busy-bee2 ~]# tar zxvf sarg-2.3.1.tar.gz
[root@busy-bee2 ~]# cd sarg-2.3.1
[root@busy-bee2 ~]# ./configure
[root@busy-bee2 ~]# make
[root@busy-bee2 ~]# make install
Time to modify the conf file
[root@busy-bee2 ~]# vim /usr/local/etc/sarg.conf
There are a lot of options, and it is always recommended to go through them. However, we'll be editing only the ones that we need.
#### sarg.conf####
access_log /var/log/squid/access.log
date_format e ## since here we use date format DD-MM-YYYY
overwrite_report yes ## because I don't want multiple sarg reports for the same day
output_dir /var/www/html/squid-reports
Time for a test run
[root@busy-bee2 ~]# sarg -x
We have used to the "-x" parameter for to view detail information on the run (used for debugging). If all goes well, there should be a report generated at/var/www/html/squid-reports directory which can be accessed from the web browser using the address http://IP/squid-reports
Sarg in Browser |
Now, we'd be adding a scheduled task to run SARG at 02:30 everyday.
[root@busy-bee2 ~]# crontab -e
30 2 * * * sarg
[root@busy-bee2 ~]# service crond restart
[root@busy-bee2 ~]# chkconfig crond on
Troubleshooting
If there is problem viewing the SARG page, here are a few tips:
- Check whether the Firewall is blocking (iptables)
- Check if there is a file /etc/httpd/conf.d/sarg.conf. There is a line "allow from". Modify it to suit your needs.
- Verify that there is directory "/var/www/html/squid-reports"