#43 Can't parse rejik log

[Bunin Vladimir]

Hello!
I have an error about redirector log.
I conf file the string is
redirector_log_format #year#-#mon#-#day# #hour# #list#:#tmp# #ip# #user# #tmp#/#tmp#/#url#/#end#
And the example of log is
2017-03-27 17:02:49 CHATS: 10.0.0.42 - d.yakushev@triatsystems.ru registrar-rr.prod.registrar.skype.com:443 (urls rule: skype.com)

But when I make report I see the next info

SARG: Reading redirector log file "/var/log/rejik/redirector.log"
SARG: Creating top users report...
SARG: Creating download report...
SARG: Creating top sites report...
SARG: Creating report to list who visisted what site...
SARG: (info) Denied report not produced because it is empty

What does #tmp# mean in template? How to correct the template?

[Frederic Marchal]

#tmp# ignores the token.

It's difficult to tell how to fix the template from that single example. So let's actually parse the string to show how sarg does it.

Sarg searches the log line for the first character found in the template after a token. The beginning of the template is #year#-. Therefore, sarg searches for the first "-" in the log line and takes everything before the "-" character as part of the year. Then it continues and searches for #mon#-. Sarg takes everything between the previous "-" and the next "-" as the month number. And so on.

As a result, the log line is parsed like this:

• #year#- == "2017"
• #mon#- == "03"
• #day#<space> == "27"
• #hour#<space> == "17:02:49"
• #list#: == "CHATS"
• #tmp#<space> == ""
• #ip#<space> == "10.0.0.42"
• #user#<space> == "-"
• #tmp#/ !! no match found as "/" is nowhere in what is left of the string

To solve your problem, you must look at the strings you have in your log and find a pattern that can be used to extract the #url#.

If you expect to extract "registrar-rr.prod.registrar.skype.com" as the url (i.e. interrupt the url at the first colon), use

redirector_log_format #year#-#mon#-#day# #hour# #list#:#tmp# #ip# #user# #url#:#end#

If the ":" isn't always present or should be part of the url, use a space to anchor the token end at what looks like " (urls rule:…" in the example:

redirector_log_format #year#-#mon#-#day# #hour# #list#:#tmp# #ip# #user# #url# #end#

[Bunin Vladimir]

Hello!
Here is a piece of redirectors log.

2017-03-28 16:51:07 PHOTOGALLERY: 10.0.0.148 - j.akinin@domail.local i.stack.imgur.com:443 (urls rule: imgur.com)
2017-03-28 16:51:28 SPYWARE: 10.0.0.27 - m.esikov@domail.local sqm.telemetry.microsoft.com:443 (urls rule: sqm.telemetry.microsoft.com)
2017-03-28 16:51:28 SPYWARE: 10.0.0.27 - m.esikov@domail.local sqm.telemetry.microsoft.com:443 (urls rule: sqm.telemetry.microsoft.com)
2017-03-28 16:51:32 DATING: 10.0.0.156 - a.vinogradov@domail.local http://vk.com/rtrg?r=JOe93*V1SbS3YangkjMDzjE/guLY9/R5GCa8Q1K/1ezfaP7I96ViYq4b/uk3Il5esVCaRhJicDZKI2WX/ajQ6umNZ4UUzH1CSIxip*xxSiWTe9ZodzHXu7l6sJcod6EJDOij/BKBr/BkTdYV*wBewkt2ZZqevolNWoKrsWysytk-&gtmcb=1460756854 (urls rule: vk.com)
2017-03-28 16:53:03 DATING: 10.0.0.24 - a.levdik@domail.local http://ok.ru/mapi?query=%7B%22cmd%22%3A%22getCounters%22%7D&callback=__PHJSONPCallback_10&rnd=1490709183348 (urls rule: ok.ru)
2017-03-28 16:53:03 DATING: 10.0.0.24 - a.levdik@domail.local http://bar.love.mail.ru/jsonp/bar?rnd=1490709183348 (urls rule: love.mail.ru)
2017-03-28 16:53:11 DATING: 10.0.0.24 - a.levdik@domail.local bar.love.mail.ru:443 (urls rule: love.mail.ru)
2017-03-28 16:53:13 DATING: 10.0.0.24 - a.levdik@domail.local ok.ru:443 (urls rule: ok.ru)
2017-03-28 16:53:21 PHOTOGALLERY: 10.0.0.148 - j.akinin@domail.local i.stack.imgur.com:443 (urls rule: imgur.com)
2017-03-28 16:53:28 DATING: 10.0.0.156 - a.vinogradov@domail.local http://vk.com/rtrg?r=JOe93*V1SbS3YangkjMDzjE/guLY9/R5GCa8Q1K/1ezfaP7I96ViYq4b/uk3Il5esVCaRhJicDZKI2WX/ajQ6umNZ4UUzH1CSIxip*xxSiWTe9ZodzHXu7l6sJcod6EJDOij/BKBr/BkTdYV*wBewkt2ZZqevolNWoKrsWysytk-&gtmcb=143018041 (urls rule: vk.com)
2017-03-28 16:53:31 DATING: 10.0.0.156 - a.vinogradov@domail.local http://vk.com/rtrg?r=JOe93*V1SbS3YangkjMDzjE/guLY9/R5GCa8Q1K/1ezfaP7I96ViYq4b/uk3Il5esVCaRhJicDZKI2WX/ajQ6umNZ4UUzH1CSIxip*xxSiWTe9ZodzHXu7l6sJcod6EJDOij/BKBr/BkTdYV*wBewkt2ZZqevolNWoKrsWysytk-&gtmcb=702646836 (urls rule: vk.com)
2017-03-28 16:53:31 DATING: 10.0.0.156 - a.vinogradov@domail.local http://vk.com/rtrg?r=w*yrZqAl6qrtMP8yYjbhZp3EqF74WYWzqBvnKsdTaYHPW4ka1g9yBMA8AqBsxWfqYnkklWIAGelycfFqahSw5GgVCYgFr8U7NNfRj82iR5Tqb7KNIVf3G6wic3DNvbgokx1C6FNs8AFgNG3gUzH8HUs5VfW9VcqfXNYww/cd7YQ- (urls rule: vk.com)
2017-03-28 16:53:39 DATING: 10.0.0.64 - r.koltsov@domail.local graph.facebook.com:443 (urls rule: facebook.com)
2017-03-28 16:54:02 DATING: 10.0.0.156 - a.vinogradov@domail.local http://vk.com/rtrg?r=JOe93*V1SbS3YangkjMDzjE/guLY9/R5GCa8Q1K/1ezfaP7I96ViYq4b/uk3Il5esVCaRhJicDZKI2WX/ajQ6umNZ4UUzH1CSIxip*xxSiWTe9ZodzHXu7l6sJcod6EJDOij/BKBr/BkTdYV*wBewkt2ZZqevolNWoKrsWysytk-&gtmcb=1307434293 (urls rule: vk.com)
2017-03-28 16:55:02 SPYWARE: 10.0.0.54 - a.chibisov@domail.local s7.addthis.com:443 (urls rule: s7.addthis.com)
2017-03-28 16:55:02 DATING: 10.0.0.156 - a.vinogradov@domail.local http://vk.com/rtrg?r=JOe93*V1SbS3YangkjMDzjE/guLY9/R5GCa8Q1K/1ezfaP7I96ViYq4b/uk3Il5esVCaRhJicDZKI2WX/ajQ6umNZ4UUzH1CSIxip*xxSiWTe9ZodzHXu7l6sJcod6EJDOij/BKBr/BkTdYV*wBewkt2ZZqevolNWoKrsWysytk-&gtmcb=711697020 (urls rule: vk.com)
2017-03-28 16:55:04 DATING: 10.0.0.54 - a.chibisov@domail.local www.facebook.com:443 (urls rule: facebook.com)
2017-03-28 16:58:02 SPYWARE: 10.0.0.4 - m.samokhin@domail.local watson.telemetry.microsoft.com:443 (urls rule: telemetry.microsoft.com)
2017-03-28 16:58:03 DATING: 10.0.0.24 - a.levdik@domail.local http://bar.love.mail.ru/jsonp/bar?rnd=1490709483346 (urls rule: love.mail.ru)
2017-03-28 16:58:03 DATING: 10.0.0.24 - a.levdik@domail.local http://ok.ru/mapi?query=%7B%22cmd%22%3A%22getCounters%22%7D&callback=__PHJSONPCallback_11&rnd=1490709483346 (urls rule: ok.ru)
2017-03-28 16:58:12 DATING: 10.0.0.24 - a.levdik@domail.local bar.love.mail.ru:443 (urls rule: love.mail.ru)
2017-03-28 16:58:14 DATING: 10.0.0.24 - a.levdik@domail.local ok.ru:443 (urls rule: ok.ru)
2017-03-28 16:58:44 SPYWARE: 10.0.0.148 - j.akinin@domail.local http://s7.addthis.com/js/250/addthis_widget.js (urls rule: s7.addthis.com)
2017-03-28 16:58:52 AUDIO-VIDEO: 10.0.0.148 - j.akinin@domail.local http://admin.brightcove.com/js/BrightcoveExperiences.js (urls rule: brightcove.com)
2017-03-28 16:58:52 SOCNET: 10.0.0.148 - j.akinin@domail.local http://platform.twitter.com/widgets.js (urls rule: twitter.com)
2017-03-28 16:58:53 DATING: 10.0.0.148 - j.akinin@domail.local www.facebook.com:443 (urls rule: facebook.com)
2017-03-28 16:58:56 DATING: 10.0.0.148 - j.akinin@domail.local www.facebook.com:443 (urls rule: facebook.com)
2017-03-28 17:03:04 DATING: 10.0.0.24 - a.levdik@domail.local http://ok.ru/mapi?query=%7B%22cmd%22%3A%22getCounters%22%7D&callback=__PHJSONPCallback_12&rnd=1490709784342 (urls rule: ok.ru)
2017-03-28 17:03:04 DATING: 10.0.0.24 - a.levdik@domail.local http://bar.love.mail.ru/jsonp/bar?rnd=1490709784342 (urls rule: love.mail.ru)
2017-03-28 17:03:13 DATING: 10.0.0.24 - a.levdik@domail.local bar.love.mail.ru:443 (urls rule: love.mail.ru)
2017-03-28 17:03:15 DATING: 10.0.0.24 - a.levdik@domail.local ok.ru:443 (urls rule: ok.ru)
2017-03-28 17:05:00 SPYWARE: 10.0.0.4 - m.samokhin@domail.local watson.telemetry.microsoft.com:443 (urls rule: telemetry.microsoft.com)
2017-03-28 17:07:57 DATING: 10.0.0.96 - s.timofeev@domail.local ok.ru:443 (urls rule: ok.ru)
2017-03-28 17:07:57 DATING: 10.0.0.96 - s.timofeev@domail.local bar.love.mail.ru:443 (urls rule: love.mail.ru)
2017-03-28 17:08:05 DATING: 10.0.0.24 - a.levdik@domail.local http://ok.ru/mapi?query=%7B%22cmd%22%3A%22getCounters%22%7D&callback=__PHJSONPCallback_13&rnd=1490710085339 (urls rule: ok.ru)
2017-03-28 17:08:05 DATING: 10.0.0.24 - a.levdik@domail.local http://bar.love.mail.ru/jsonp/bar?rnd=1490710085339 (urls rule: love.mail.ru)
2017-03-28 17:08:10 DATING: 10.0.0.96 - s.timofeev@domail.local ok.ru:443 (urls rule: ok.ru)
2017-03-28 17:08:10 DATING: 10.0.0.96 - s.timofeev@domail.local bar.love.mail.ru:443 (urls rule: love.mail.ru)
2017-03-28 17:08:14 DATING: 10.0.0.24 - a.levdik@domail.local bar.love.mail.ru:443 (urls rule: love.mail.ru)
2017-03-28 17:08:16 DATING: 10.0.0.24 - a.levdik@domail.local ok.ru:443 (urls rule: ok.ru)
2017-03-28 17:08:19 DATING: 10.0.0.96 - s.timofeev@domail.local ok.ru:443 (urls rule: ok.ru)
2017-03-28 17:08:19 DATING: 10.0.0.96 - s.timofeev@domail.local bar.love.mail.ru:443 (urls rule: love.mail.ru)
2017-03-28 17:08:21 SOCNET: 10.0.0.96 - s.timofeev@domail.local tswtswmailru.webagent.mail.ru:443 (urls rule: webagent.mail.ru)
2017-03-28 17:09:36 PHOTOGALLERY: 10.0.0.148 - j.akinin@domail.local i.stack.imgur.com:443 (urls rule: imgur.com)
2017-03-28 17:09:38 PHOTOGALLERY: 10.0.0.148 - j.akinin@domail.local http://i.stack.imgur.com/MgD4g.png (urls rule: imgur.com)

I used this template
redirector_log_format #year#-#mon#-#day# #hour# #list#:#tmp# #ip# #user#@#tmp# #url# #end#
But report is short and without users, see attachment.
Your template redirector_log_format #year#-#mon#-#day# #hour# #list#:#tmp# #ip# #user# #url# #end# doesn't work.

[Bunin Vladimir]

Attachment.

[Bunin Vladimir]

And warnings in log:

SARG: Reading redirector log file "/var/log/rejik/redirector.log"
SARG: User ID too long in redirector log file ""
SARG: User ID too long in redirector log file ""
SARG: User ID too long in redirector log file ""
SARG: User ID too long in redirector log file ""
SARG: User ID too long in redirector log file ""
SARG: User ID too long in redirector log file ""
SARG: User ID too long in redirector log file ""
SARG: User ID too long in redirector log file ""
SARG: User ID too long in redirector log file ""
SARG: User ID too long in redirector log file ""
SARG: User ID too long in redirector log file ""
SARG: Sorting file "/tmp/sarg/redirector.int_log"

[Frederic Marchal]

I used the following template on your sample file

redirector_log_format #year#-#mon#-#day# #hour# #list#:#tmp# #ip# #tmp# #user#@#tmp# #url# #end#

Lines were extracted as expected or, at the very least, I could not spot any error. See attached screenshot.

You are right, my first throw was wrong. I had to add a #tmp# to ignore the "-" before the user name and I removed the domain name as you did.

[Bunin Vladimir]

Hello!
Beautiful! It works!
And what to do with entries which are not shown into the report? Does it mean that they are repeated? Or it's just to reduce the report? Is it possible to show them all?

[Frederic Marchal]

Every entry from your sample file is taken into account in the report I generated for the screen capture but only 10 are shown as requested by the squidguard_report_limit option (10 by default).

Therefore, if you want to see the six hidden entries for a.levdik, set squidguard_report_limit to a higher value or to zero to disable the limit.

If, on the other hand, some entries are really ignored from the full rejik log, then, it means those entries don't match the template. What is special about those entries? Do you see how they could fail to be parsed by the redirector template?

[Bunin Vladimir]

And one more question.
I have a script which is launched by cron.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18

#!/bin/bash export LANG=ru_RU.UTF-8 LOG_FILES= for FILE in /var/log/squid/access.log*; do LOG_FILES="$LOG_FILES -l $FILE" done # Get yesterday's date YESTERDAY=$(date --date "1 day ago" +%d/%m/%Y) exec /usr/bin/sarg \ $LOG_FILES \ -o /var/www/html/sarg/daily \ -d $YESTERDAY &>/dev/null -t 23:59:59 export LANG=en_US.UTF-8 exit 0

All log files are combined in $LOG_FILES and read by sarg, but what about redirector's log? Only one mention is in sarg.conf, but what to do if I have some redirector.log files which are gziped. Is it possible to launch sarg from CLI and point to redirector's logs similar to squid log files?

[Evgeniy Yakushev]

No, this cycle is not needed. You may just pass
exec /usr/bin/sarg var/log/squid/access.log*
Wildcard is allowed for access log files.

In relation to redirector's log files, it cannot be passed in CLI. Sarg reads the config and log files mentioned in it. You should rotate and squeeze them after processing by sarg. I guess so far it's the best option.

[Frederic Marchal]

In addition to what Evgeniy wrote, you may further simplify the script by replacing -d $YESTERDAY with -d day-1. It saves running date to calculate YESTERDAY in the script. The syntax for -d is explained in the wiki page [Command line options].

Beside, I believe there is an error in your script:

exec /usr/bin/sarg \
$LOG_FILES \
-o /var/www/html/sarg/daily \
-d $YESTERDAY &>/dev/null
-t 23:59:59

-t 23:59:59 is after the &>/dev/null on the command line. I believe option -t is ignored in that case which is good as it would truncate your report to only show accesses made exactly at 23:59:59.

[Bunin Vladimir]

I found the option for CLI

-L FILE

If you need redirector report, you can pass -L option and the path to squidGuard log file in command line interface. Several files can be passed, each one must be prefixed with -L. Wildcards are NOT supported.

Seems to me that it's what I need. Can I use it for Rejik logs? And gzipped logs?
Of course it's possible to do as Evgeniy adviced but if I want to have redirector log for a month I have to wait and rotate it only after making a report.

[Frederic Marchal]

You are right, that option can read uncompressed Rejik log.

But I just committed a change to read compressed logs too. It is a one line change that was the obvious thing to do.

The new feature is available in the git master branch. It is sarg version 2.4. I recommend you clone a working copy of the source and build it.

[Bunin Vladimir]

Frederic, thanks a lot for hint with days.