I am planning to set the squid to send its logs to syslog server instead of regular access.log file.
Once the squid logs are sent to the syslog server the format is change from the standard squid logs and is mixed with the other syslog logs.
Is Sarg compatible with the syslog squid format and mixed?
If not do you have a sugestion on how to extract the squid logs from the syslog to a standard squid log format?
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Sarg can't parse a syslog file directly but you may get away with it if you process the syslog file to remove the beginning of the line.
I have no syslog file containing squid log entries to check it out but sed should be able to extract the squid entries and remove the syslog part of each line with a command like this:
The output is piped to sarg. There is no need to use a temporary file.
In the above example, I only tell sarg to read the log from standard input. It lacks any suitable option to produce a decent report. In practice, you will likely have to add other options such as "-d day-1" to produce a report containing yesterday accesses. See the wiki page about the [Configuration options].
The above sed command was quickly assembled based on my current syslog content. I would be surprised if it worked out of the box on your syslog :-). Please tune it to match your syslog entries.
I am planning to set the squid to send its logs to syslog server instead of regular access.log file.
Once the squid logs are sent to the syslog server the format is change from the standard squid logs and is mixed with the other syslog logs.
Is Sarg compatible with the syslog squid format and mixed?
If not do you have a sugestion on how to extract the squid logs from the syslog to a standard squid log format?
Sarg can't parse a syslog file directly but you may get away with it if you process the syslog file to remove the beginning of the line.
I have no syslog file containing squid log entries to check it out but sed should be able to extract the squid entries and remove the syslog part of each line with a command like this:
The output is piped to sarg. There is no need to use a temporary file.
In the above example, I only tell sarg to read the log from standard input. It lacks any suitable option to produce a decent report. In practice, you will likely have to add other options such as "-d day-1" to produce a report containing yesterday accesses. See the wiki page about the [Configuration options].
The above sed command was quickly assembled based on my current syslog content. I would be surprised if it worked out of the box on your syslog :-). Please tune it to match your syslog entries.
Related
Wiki: Configuration options