Squid Web Proxy
What is Discovered and Monitored
Protocol | Information discovered | Metrics collected | Used for |
---|---|---|---|
SNMP | Host name, Interfaces, Serial number | CPU utilization, Memory utilization | Performance Monitoring |
Syslog | Proxy traffic: attributes include Source IP, Destination IP, Destination Name, Destination Port, URL, Web category, Proxy action, HTTP User Agent, HTTP Referrer, HTTP Version, HTTP Method, HTTP Status Code, Sent Bytes, Received Bytes, Connection Duration | Security Monitoring and compliance |
Event Types
In ADMIN > Device Support > Event, search for "squid" in the Description and Device Type columns to see the event types associated with this device.
Configuration
SNMP
FortiSIEM uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide.
Syslog
- Add the following line to the
logformat
section in/etc/squid/squid.conf
based of your version of Squid.
For Squid versions earlier than 4.1.1:logformat PHCombined %>a %>p %<A %la %lp %tr %ul %ui %un %us %ue [%tl] %rm "%ru" HTTP/%rv %Hs %<st %>st "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh
For Squid version 4.1.1 and later:
logformat PHCombined %>a %>p %<A %la %lp %tr %ul %ui %un [%tl] %rm "%ru" HTTP/%rv %Hs %<st %>st "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh
- Add the following line to the
access_log
section in/etc/squid/squid.conf
.access_log syslog:LOG_LOCAL4 PHCombined
- Restart Squid.
Configure syslogd (or rsyslogd) to Forward the Logs to FortiSIEM
- Modify
/etc/syslog.conf
(/etc/rsyslog.conf
if runningrsyslog
) .Local4.*
@<FortiSIEMIp>
- Restart syslogd (or rsyslogd).
Sample Parsed Squid Syslog Messages
Squid on Linux with syslog locally to forward to FortiSIEM
<166>squid[28988]: 192.168.25.15 51734 65.54.87.157 172.16.10.40 3128 5989 - - - - - [22/Apr/2011:17:17:46 -0700] GET "http://col.stj.s-msn.com/br/sc/js/jquery/jquery-1.4.2.min.js" HTTP/1.1 200 26141 407 "http://www.msn.com/" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.16) Gecko/20110319 Firefox/3.6.16" TCP_MISS:DIRECT
Squid on Linux with syslog-ng locally to forward to FortiSIEM
<166>Oct 20 09:21:54 QA-V-CentOS-Syslog-ng squid[7082]: 192.168.20.42 1107 74.125.19.100 172.16.10.34 3128 291 - - - - - [20/Oct/2009:09:21:54 -0700] GET "http://clients1.google.com/generate_204" HTTP/1.1 204 387 603 "http://www.google.com/" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)" TCP_MISS:DIRECT
Squid on Linux with syslog locally and forward to syslog-ng remotely to forward to FortiSIEM
<166>Oct 20 10:21:42 172.16.10.40 squid[26033]: 192.168.20.42 1121 66.235.132.121 172.16.10.40 3128 117 - - - - - [20/Oct/2009:12:05:49 \-0700|] GET "http://metrics.sun.com/b/ss/sunglobal,suncom,sunstruppdev/1/H.14/s21779365053734?" HTTP/1.1 200 746 1177 "http://www.sun.com/" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)" TCP_MISS:DIRECT
Squid on Linux with syslog-ng locally and forward to syslog-ng remotely to forward to FortiSIEM
<166>Oct 20 12:44:12 172.16.10.40 squid[26033]: 192.168.20.42 1125 64.213.38.80 172.16.10.40 3128 117 - - - - - [20/Oct/2009:12:44:12 -0700] GET "http://www-cdn.sun.com/images/hp5/hp5b_enterprise_10-19-09.jpg" HTTP/1.1 200 12271 520 "http://www.sun.com/" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)" TCP_MISS:DIRECT
Squid on Solaris with syslog locally to forward to FortiSIEM
<166>May 6 17:55:48 squid[1773]: [ID 702911 local4.info] 192.168.20.39 1715 72.14.223.18 172.16.10.6 3128 674 - - - - - [06/May/2008:17:55:48 -0700] GET "http://mail.google.com/mail/?" HTTP/1.1 302 1061 568 "http://www.google.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.14) Gecko/20080404 Firefox/2.0.0.14" TCP_MISS:DIRECT
Squid on Solaris with syslog locally and forward to syslog-ng remotely to forward to FortiSIEM
<166>Oct 20 13:02:19 172.16.10.6 squid[687]: [ID 702911 local4.info] 192.168.20.42 1112 208.92.236.184 172.16.10.6 3128 201 - - - - - [20/Oct/2009:13:02:19 -0700] GET "http://m.webtrends.com/dcs4f6vsz99k7mayiw2jzupyr_1s2e/dcs.gif?" HTTP/1.1 200 685 1604 "http://www.microsoft.com/en/us/default.aspx" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)" TCP_MISS:DIRECT