Documentation Center
AlienVault® USM Anywhere™

Squid Proxy

When you configure Squid Proxy integration to send log data to USM Anywhere, you can use the Squid Proxy plugin to translate the raw log data into normalized events for analysis.

Device Details
Device vendor Squid
Device type Proxy
Connection type syslog
Vendor link http://eric.lubow.org/2007/system-administration/syslog-ng-and-squid-logging/

Integrating Squid Proxy

Before you configure the integration, you must have the IP Address of the USM AnywhereUSM Appliance Sensor.

To configure Squid Proxy to send log data to the USM Anywhere sensor

  1. Go to /etc/squid/squid.conf and find the line that begins with the access_log directive. It should look like this:

    access_log /var/log/squid/squid.log squid

  2. Configure remote logging as an addition to current local logging by adding the following line to squid.conf:

    access_log syslog squid

    This tells Squid to create another access_log file, and to log it to the syslog in the standard squid logging format.

    Note: Two copies are better than one, especially if you can spare the space and handle the network traffic.

  3. Make sure that Squid is not logged twice on your machine by adding the following lines to syslog-ng.conf:

    # The filter removes all entries that come from the

    # program 'squid' from the syslog

    filter f_remove { program("squid"); };

    # Everything that should be in the 'user' facility

    filter f_user { facility(user); };

    # The log destination should be the '/var/log/user.log' file

    destination df_user { file("/var/log/user.log"); };

    # The log destination should be sent via UDP

    destination logserver { udp("logserver.mycompany.com"); };

    # The actual logging directive

    log {

    # Standard source of all sources

    source(s_all);

    # Apply the 'f_user' filter

    filter(f_user);

    # Apply the 'f_remove' filter to remove all squid entries

    filter(f_remove);

    # Send whatever is left in the user facility log file to

    # to the 'user.log' file

    destination(df_user);

    # Send it to the logserver

    destination(logserver);

    };

  4. Save the file.

Plugin Enablement

The Squid plugin automatically processes all messages whose syslog tag matches the value "squid".

Available Plugin Fields

The following plugin fields are important attributes extracted from the syslog message. USM Anywhere reports use these fields, and you can also reference them when creating custom reports. In addition to reporting, the USM Anywhere correlation rules make use of these fields.

  • application_protocol
  • bytes_out
  • customfield_0
  • customfield_1
  • customheader_0
  • customheader_1
  • event_description
  • event_name
  • plugin_device
  • plugin_device_version
  • request_method
  • request_referrer
  • request_url
  • request_user_agent
  • response_code
  • source_address
  • time_zone

Troubleshooting

For troubleshooting, refer to the vendor documentation:

http://www.linuxnix.com/troubleshooting-squid-reverse-proxy-server/