Fortinet black logo

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

External Systems Configuration Guide

Squid Web Proxy

What is Discovered and Monitored

Protocol

Information discovered

Metrics collected

Used for

SNMP

Host name, Interfaces, Serial number

CPU utilization, Memory utilization

Performance Monitoring

Syslog

Proxy traffic: attributes include Source IP, Destination IP, Destination Name, Destination Port, URL, Web category, Proxy action, HTTP User Agent, HTTP Referrer, HTTP Version, HTTP Method, HTTP Status Code, Sent Bytes, Received Bytes, Connection Duration

Security Monitoring and compliance

Event Types

In ADMIN > Device Support > Event Types, search for "squid" to see the event types associated with this device. 

Configuration

SNMP

FortiSIEM uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide.

Syslog
  1. Add the following line to the logformat section in /etc/squid/squid.conf based of your version of Squid.

    For Squid versions earlier than 4.1.1:
    logformat PHCombined %>a %>p %<A %la %lp %tr %ul %ui %un %us %ue [%tl] %rm "%ru" HTTP/%rv %Hs %<st %>st "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh
    

    For Squid version 4.1.1 and later:

    logformat PHCombined %>a %>p %<A %la %lp %tr %ul %ui %un [%tl] %rm "%ru" HTTP/%rv %Hs %<st %>st "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh
  2. Add the following line to the access_log section in /etc/squid/squid.conf.
    access_log syslog:LOG_LOCAL4 PHCombined
    
  3. Restart Squid.
Configure syslogd (or rsyslogd) to Forward the Logs to FortiSIEM
  1. Modify /etc/syslog.conf (/etc/rsyslog.conf if running rsyslog) .

    Local4.*                                                     

    @<FortiSIEMIp>
    
  2. Restart syslogd (or rsyslogd).
Sample Parsed Squid Syslog Messages
Squid on Linux with syslog Locally to Forward to FortiSIEM

<166>squid[28988]: 192.168.25.15 51734 65.54.87.157 172.16.10.40 3128 5989 - - - - - [22/Apr/2011:17:17:46 -0700] GET "http://col.stj.s-msn.com/br/sc/js/jquery/jquery-1.4.2.min.js" HTTP/1.1 200 26141 407 "http://www.msn.com/" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.16) Gecko/20110319 Firefox/3.6.16" TCP_MISS:DIRECT
Squid on Linux with syslog-ng Locally to Forward to FortiSIEM

<166>Oct 20 09:21:54 QA-V-CentOS-Syslog-ng squid[7082]: 192.168.20.42 1107 74.125.19.100 172.16.10.34 3128 291 - - - - - [20/Oct/2009:09:21:54 -0700] GET "http://clients1.google.com/generate_204" HTTP/1.1 204 387 603 "http://www.google.com/" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)" TCP_MISS:DIRECT
Squid on Linux with syslog Locally and Forward to syslog-ng Remotely to Forward to FortiSIEM
<166>Oct 20 10:21:42 172.16.10.40 squid[26033]: 192.168.20.42 1121 66.235.132.121 172.16.10.40 3128 117 - - - - - [20/Oct/2009:12:05:49 \-0700|] GET "http://metrics.sun.com/b/ss/sunglobal,suncom,sunstruppdev/1/H.14/s21779365053734?" HTTP/1.1 200 746 1177 "http://www.sun.com/" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)" TCP_MISS:DIRECT
Squid on Linux with syslog-ng locally and forward to syslog-ng remotely to forward to FortiSIEM

<166>Oct 20 12:44:12 172.16.10.40 squid[26033]: 192.168.20.42 1125 64.213.38.80 172.16.10.40 3128 117 - - - - - [20/Oct/2009:12:44:12 -0700] GET "http://www-cdn.sun.com/images/hp5/hp5b_enterprise_10-19-09.jpg" HTTP/1.1 200 12271 520 "http://www.sun.com/" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)" TCP_MISS:DIRECT
Squid on Solaris with syslog Locally to Forward to FortiSIEM

<166>May  6 17:55:48 squid[1773]: [ID 702911 local4.info] 192.168.20.39 1715 72.14.223.18 172.16.10.6 3128 674 - - - - - [06/May/2008:17:55:48 -0700] GET "http://mail.google.com/mail/?" HTTP/1.1 302 1061 568 "http://www.google.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.14) Gecko/20080404 Firefox/2.0.0.14" TCP_MISS:DIRECT
Squid on Solaris with syslog Locally and Forward to syslog-ng Remotely to Forward to FortiSIEM

<166>Oct 20 13:02:19 172.16.10.6 squid[687]: [ID 702911 local4.info] 192.168.20.42 1112 208.92.236.184 172.16.10.6 3128 201 - - - - - [20/Oct/2009:13:02:19 -0700] GET "http://m.webtrends.com/dcs4f6vsz99k7mayiw2jzupyr_1s2e/dcs.gif?" HTTP/1.1 200 685 1604 "http://www.microsoft.com/en/us/default.aspx" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)" TCP_MISS:DIRECT

Squid Web Proxy

What is Discovered and Monitored

Protocol

Information discovered

Metrics collected

Used for

SNMP

Host name, Interfaces, Serial number

CPU utilization, Memory utilization

Performance Monitoring

Syslog

Proxy traffic: attributes include Source IP, Destination IP, Destination Name, Destination Port, URL, Web category, Proxy action, HTTP User Agent, HTTP Referrer, HTTP Version, HTTP Method, HTTP Status Code, Sent Bytes, Received Bytes, Connection Duration

Security Monitoring and compliance

Event Types

In ADMIN > Device Support > Event Types, search for "squid" to see the event types associated with this device. 

Configuration

SNMP

FortiSIEM uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide.

Syslog
  1. Add the following line to the logformat section in /etc/squid/squid.conf based of your version of Squid.

    For Squid versions earlier than 4.1.1:
    logformat PHCombined %>a %>p %<A %la %lp %tr %ul %ui %un %us %ue [%tl] %rm "%ru" HTTP/%rv %Hs %<st %>st "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh
    

    For Squid version 4.1.1 and later:

    logformat PHCombined %>a %>p %<A %la %lp %tr %ul %ui %un [%tl] %rm "%ru" HTTP/%rv %Hs %<st %>st "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh
  2. Add the following line to the access_log section in /etc/squid/squid.conf.
    access_log syslog:LOG_LOCAL4 PHCombined
    
  3. Restart Squid.
Configure syslogd (or rsyslogd) to Forward the Logs to FortiSIEM
  1. Modify /etc/syslog.conf (/etc/rsyslog.conf if running rsyslog) .

    Local4.*                                                     

    @<FortiSIEMIp>
    
  2. Restart syslogd (or rsyslogd).
Sample Parsed Squid Syslog Messages
Squid on Linux with syslog Locally to Forward to FortiSIEM

<166>squid[28988]: 192.168.25.15 51734 65.54.87.157 172.16.10.40 3128 5989 - - - - - [22/Apr/2011:17:17:46 -0700] GET "http://col.stj.s-msn.com/br/sc/js/jquery/jquery-1.4.2.min.js" HTTP/1.1 200 26141 407 "http://www.msn.com/" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.16) Gecko/20110319 Firefox/3.6.16" TCP_MISS:DIRECT
Squid on Linux with syslog-ng Locally to Forward to FortiSIEM

<166>Oct 20 09:21:54 QA-V-CentOS-Syslog-ng squid[7082]: 192.168.20.42 1107 74.125.19.100 172.16.10.34 3128 291 - - - - - [20/Oct/2009:09:21:54 -0700] GET "http://clients1.google.com/generate_204" HTTP/1.1 204 387 603 "http://www.google.com/" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)" TCP_MISS:DIRECT
Squid on Linux with syslog Locally and Forward to syslog-ng Remotely to Forward to FortiSIEM
<166>Oct 20 10:21:42 172.16.10.40 squid[26033]: 192.168.20.42 1121 66.235.132.121 172.16.10.40 3128 117 - - - - - [20/Oct/2009:12:05:49 \-0700|] GET "http://metrics.sun.com/b/ss/sunglobal,suncom,sunstruppdev/1/H.14/s21779365053734?" HTTP/1.1 200 746 1177 "http://www.sun.com/" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)" TCP_MISS:DIRECT
Squid on Linux with syslog-ng locally and forward to syslog-ng remotely to forward to FortiSIEM

<166>Oct 20 12:44:12 172.16.10.40 squid[26033]: 192.168.20.42 1125 64.213.38.80 172.16.10.40 3128 117 - - - - - [20/Oct/2009:12:44:12 -0700] GET "http://www-cdn.sun.com/images/hp5/hp5b_enterprise_10-19-09.jpg" HTTP/1.1 200 12271 520 "http://www.sun.com/" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)" TCP_MISS:DIRECT
Squid on Solaris with syslog Locally to Forward to FortiSIEM

<166>May  6 17:55:48 squid[1773]: [ID 702911 local4.info] 192.168.20.39 1715 72.14.223.18 172.16.10.6 3128 674 - - - - - [06/May/2008:17:55:48 -0700] GET "http://mail.google.com/mail/?" HTTP/1.1 302 1061 568 "http://www.google.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.14) Gecko/20080404 Firefox/2.0.0.14" TCP_MISS:DIRECT
Squid on Solaris with syslog Locally and Forward to syslog-ng Remotely to Forward to FortiSIEM

<166>Oct 20 13:02:19 172.16.10.6 squid[687]: [ID 702911 local4.info] 192.168.20.42 1112 208.92.236.184 172.16.10.6 3128 201 - - - - - [20/Oct/2009:13:02:19 -0700] GET "http://m.webtrends.com/dcs4f6vsz99k7mayiw2jzupyr_1s2e/dcs.gif?" HTTP/1.1 200 685 1604 "http://www.microsoft.com/en/us/default.aspx" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)" TCP_MISS:DIRECT