You can configure Squid to use syslog to forward your access and cache
events.
Procedure
-
Use SSH to log in to the Squid device command line interface.
-
Open the following file:
/etc/rc3.d/S99localNote: If /etc/rc3.d/S99local does
not exist, use /etc/rc.d/rc.local.
-
Add the following line:
tail -f /var/log/squid/access.log | logger -p
<facility>.<priority> &
- <facility> is any valid syslog facility, which is written in lowercase such as
authpriv
, daemon
, local0
to
local7
, or user
.
- <priority> is any valid priority that is written in lowercase such as
err
, warning
, notice
, info
,
debug
.
-
Save and close the file.
Logging begins the next time that the system is restarted.
-
To begin logging immediately, type the following command:
nohup sh -c "tail -f /var/log/squid/access.log | logger -p
<facility>.<priority>" &
The <facility> and <priority> options are the same
values that you entered.
-
Open the following file:
/etc/syslog.confNote: When using rsyslog, open
/etc/rsyslog.conf instead of /etc/syslog.conf.
-
Add the following line to send the logs to QRadar:
<facility>.<priority>
@<QRadar_IP_address>
The following example shows a priority and facility for Squid messages and a QRadar IP address:
local4.info @<IP_address>
-
Confirm that access_log format ends in
common.
Example:
access_log /path/to/access.log common
If the access_log format end value is squid, change
squid to common, as displayed in the example.
If the access_log format does not have an ending value, add the following
line to the Squid conf file to turn on httpd log file
emulation:
emulate_httpd_log on
-
Choose one of the following options:
-
Save and close the file.
-
Type the following command to restart the syslog daemon:
/etc/init.d/syslog restart
For more information about configuring Squid, see your vendor documentation.
Results
After you configure syslog forwarding for your cache and access logs, the configuration is
complete. QRadar can
automatically discover syslog events that are forwarded from Squid.