Carol Tardif wrote: > > I'm using squid with squidGuard. Everyday I run a script that parse > access.log. But when I parse access.log I need to know if a line > was rejected from squidGuard. But I can't see nothing particular > that can tell me if it was rejected. > > Example: > TCP_MEM_HIT/200 613 GET http://playboy.com/ - NONE/- text/html > TCP_REFRESH_HIT/304 235 GET http://warez.com/ - DIRECT/64.40.108.39 - <NOTE: Time stamp and ip removed from log entries for readability.> > These two lines were rejected but I would I know? > What I want is to have a distinctive line or not to see the > rejected lines. Is it possible? Or will I have to parse also the > logs of squidGuard...
I don't have a perfect answer, but I can get you a lot closer than you are now. Within your squidGuard.conf file there are three different ways that you can redirect: A) redirect http://yoursever.com//cgi-bin/squidGuard.cgi?... B) redirect 301:http://yoursever.com//cgi-bin/squidGuard.cgi?... C) redirect 302:http://yoursever.com//cgi-bin/squidGuard.cgi?... Using redirect method A, here's what is logged in access.log when I try those two sites you listed: TCP_MISS/403 2854 GET http://playboy.com/ rick DIRECT/192.168.44.1 text/html TCP_HIT/200 8232 GET http://192.168.44.1/stop.gif - NONE/- image/gif TCP_MISS/403 2850 GET http://warez.com/ rick DIRECT/192.168.44.1 text/html TCP_IMS_HIT/304 225 GET http://192.168.44.1/stop.gif - NONE/- image/gif (stop.gif is a graphic on my redirect page) There is no difference in the logging between method B and method C, the following is logged for both methods: TCP_MISS/000 358 GET http://playboy.com/ - NONE/- - TCP_MISS/403 2854 GET http://192.168.44.1/cgi-bin/squidGuard.cgi?... TCP_IMS_HIT/304 225 GET http://192.168.44.1/stop.gif - NONE/- image/gif TCP_MISS/000 356 GET http://warez.com/ - NONE/- - TCP_MISS/403 2850 GET http://192.168.44.1/cgi-bin/squidGuard.cgi?... TCP_IMS_HIT/304 225 GET http://192.168.44.1/stop.gif - NONE/- image/gif If you use redirect method A, you can strip out all of the '/403 ' records out of the access.log file to remove the squidGuard blocks. The 403 Forbidden status can be received from a web site, so all of the '/403 ' records will not be the result of squidGuard blocks. But I tested an access.log file that contained 250,000 records and found 1405 records that contained '/403 '. Seven of those were received from web sites, the other 1398 were squidGuard blocks. I hope this helps you. Rick Matthews
