I tried the below script although it did give back a file it only had one entry in it. What I am interested in is all IP addresses that visited a particular domains site and subdomains of that site.
egrep http://www.somesite.com access.log | egrep '192.168.1.[234]' | awk egrep: access.log: No such file or directory Jim Brouse Internet Administrator Information Technology Department Pascua Yaqui Tribe of Arizona Phone: 520-879-5813 E-mail: [EMAIL PROTECTED] "Adam" <[EMAIL PROTECTED] To: <[EMAIL PROTECTED]> l.net> cc: Subject: Re: [squid-users] Squid Activity/Usage and Reporting Tools 07/31/2003 11:11 AM Please respond to "Adam" Jim_wrote: > What is the best way to determine how busy squid is, for example if there > is an Internet slow down. Some way to determine if the squid box is busy, > if the squid box can not get out to the Internet, or just a particulary > slow web page? "How busy squid is" would seem to me to be different that if there is an internet slow down. For monitoring squid, use the cachemgr.cgi script. Info here: http://www.squid-cache.org/Doc/FAQ/FAQ-9.html. The general info page has some useful info - if any particular value is not self-evident then just search for it using groups.google.com (to just search this mailing list, go to Advanced and put in mailing.unix.squid-users). However my problem is often: is it squid or the internet? Fortunately we have a few test boxes that can go via the proxy or directly out. So from those boxes and the proxy itself we do traceroutes and pings to various test sites (e.g. our own offsite servers) so we have an idea of what normal/expected traffic and return times are. I use ping to see packet loss and any ups/downs in traffice. We have 2 T1's and one often has intermittent problems so this helps to show them: $ ping -s www.somesite.com 56 100 (this says send 56byte packets a hundred times - it's ping -t on Win2K). PING www.somesite.com: 56 data bytes 64 bytes from www.somesite.com (209.157.104.243): icmp_seq=0. time=11. ms 64 bytes from www.somesite.com (209.157.104.243): icmp_seq=1. time=109. ms 64 bytes from www.somesite.com (209.157.104.243): icmp_seq=2. time=128. ms etc. traceroute www.somesite.com is also very handy. > Also if I have a squid access.log and I want to determine all users IP > addresses that are accessing www.somesite.com what is the best way to pull > out that information. Short of using one of the reports/tools listed here http://www.squid-cache.org/Scripts/, why not use something like this: egrep http://www.somesite.com access.log | egrep '192.168.1.[234]' | awk '{print $3}' | sort -u > /tmp/gotcha (Assumes you are using native log format, are not logging fqdn, hence IP is 3rd field. Substitute 192.168.1.[234] for whatever IP range you are seeking). hth Adam
