Configuring syslog forwarding

You can configure Squid to use syslog to forward your access and cache events.

Procedure

  1. Use SSH to log in to the Squid device command line interface.
  2. Open the following file:
    /etc/rc3.d/S99local
    Note: If /etc/rc3.d/S99local does not exist, use /etc/rc.d/rc.local.
  3. Add the following line:

    tail -f /var/log/squid/access.log | logger -p <facility>.<priority> &

    • <facility> is any valid syslog facility, which is written in lowercase such as authpriv, daemon, local0 to local7, or user.
    • <priority> is any valid priority that is written in lowercase such as err, warning, notice, info, debug.
  4. Save and close the file.

    Logging begins the next time that the system is restarted.

  5. To begin logging immediately, type the following command:

    nohup sh -c "tail -f /var/log/squid/access.log | logger -p <facility>.<priority>" &

    The <facility> and <priority> options are the same values that you entered.

  6. Open the following file:
    /etc/syslog.conf
    Note: When using rsyslog, open /etc/rsyslog.conf instead of /etc/syslog.conf.
  7. Add the following line to send the logs to QRadar:

    <facility>.<priority> @<QRadar_IP_address>

    The following example shows a priority and facility for Squid messages and a QRadar IP address:

    local4.info @<IP_address>

  8. Confirm that access_log format ends in common.
    Example: 
    access_log /path/to/access.log common

    If the access_log format end value is squid, change squid to common, as displayed in the example.

    If the access_log format does not have an ending value, add the following line to the Squid conf file to turn on httpd log file emulation: 

    emulate_httpd_log on
  9. Choose one of the following options:
    • To restart the Squid service, type the following command: 
      service squid restart
    • To reload the configuration without restarting the service, type the following command:
      /usr/sbin/squid -k reconfigure
  10. Save and close the file.
  11. Type the following command to restart the syslog daemon:

    /etc/init.d/syslog restart

    For more information about configuring Squid, see your vendor documentation.

Results

After you configure syslog forwarding for your cache and access logs, the configuration is complete. QRadar can automatically discover syslog events that are forwarded from Squid.