• Support
  • Forums
  • Blogs

Problem with squid logs

nayan7253nayan7253

Entry Level
I have installed ossec agent on proxy server.The problem is that squid logs do not  match with squid rules.When I checked the same log with ossec-logtest  then it mathes with squid rule.But in alerts.log the output is "unknown problem somewhere in system" and rule group is "syslog,error"

for e.g.
squid access.log

1393244131.182      3 31.101.24.110 TCP_DENIED/407 2725 GET http://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEDWXMYfzhzoHMn7OWAybfto= - NONE/- text/html

AV - Alert - "1393244398" --> RID: "1002"; RL: "2"; RG: "syslog,errors,"; RC: "Unknown problem somewhere in the system."; USER: "None"; SRCIP: "None"; HOSTNAME: "(Megha) 192.168.2.56->/usr/local/squid/var/logs/access.log"; LOCATION: "(Megha) 192.168.2.56->/usr/local/squid/var/logs/access.log"; EVENT: "[INIT] 1393244131.182 3 31.101.24.110 TCP_DENIED/407 2725 GET http://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEDWXMYfzhzoHMn7OWAybfto= - NONE/- text/html[END]";

The Output of the same log with ossec-logtest is

**Phase 1: Completed pre-decoding.
       full event: '1393244131.182      3 31.101.24.110 TCP_DENIED/407 2725 GET http://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEDWXMYfzhzoHMn7OWAybfto= - NONE/- text/html'
       hostname: 'alienvault'
       program_name: '(null)'
       log: '3 31.101.24.110 TCP_DENIED/407 2725 GET http://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEDWXMYfzhzoHMn7OWAybfto= - NONE/- text/html'

**Phase 2: Completed decoding.
       decoder: 'squid-accesslog'

**Phase 3: Completed filtering (rules).
       Rule id: '35000'
       Level: '0'
       Description: 'Squid messages grouped.'
 
plz suggest






Share post:

Answers

  • any body have no idea
  • Plz suggest
  • Can you post your <localfile> statement for capturing the squid logs?
  • <localfile>
    <log_format>squid</log_format>
    <location>/usr/local/squid/var/log/access.log</location>
    </localfile>
  • if that can help, there is my custom one;

    [squid-access]
    event_type=event
    regexp=\d+\.\d+\s+\d+\s+(?P[^\s]+)\s+[^\/]+\/(?P(\d+))\s+\d+\s+\w+\s+ (?P[^\s]+)\s+\-\s+\S+\/(?P[^\s]+).*
    src_ip={resolv($host)}
    dst_ip={resolv($dst_ip)}
    plugin_sid={$sid}
    userdata1={$3}
    userdata2={$url}

    [squid-apache-access]
    event_type=event
    regexp=(?P\w+) squid\[\d+\]: (?P\IPV4) (\S+) (\S+) \[(?P(?P< day>\d\d)\/(?P\w\w\w)\/(?P\d\d\d\d):(?P\d\d):(?P\d\d) :(?P\d\d))[^]]+\] "(?P(?P\w+) (?P[^"]+))" (?P\d+ ) (?P\d+) "(?P[^"]+)" "(?P[^"]+)" (?P\w+)
    date={normalize_date($date)}
    device={resolve($host)}
    plugin_sid={$sid}
    src_ip={$src_ip}
    dst_ip=127.0.0.1
    dst_port=80
    userdata1={$action}
    userdata2={$url}
    userdata3={$referrer}
    userdata4={$useragent}
    userdata5={$size}
    userdata6={$status}
This discussion has been closed.