Pfsense – SARG (squid reports) setup

sarg1UPDATE – Since writing this pfsense has added a package install of SARG.   I recommend an updated tutorial of this post –  SARG and Pfsense V2.

Here is a tutorial on how to setup SARG (http://sarg.sourceforge.net/) – Squid Analysis Report Generator on Pfsense.   If you don’t know what any of those words meant then here are some references.

  • SQUID – (www.squid-cache.org): Squid is a web proxy that can filter traffic from your network to the internet.
  • Pfsense – (www.pfsense.org) : PFsense is a free opensource firewall / router for home or office

I have recently setup a Pfsense router / firewall to replace my old “blue plastic” router that was purchased at the big box location.   This solution has been working great.  It has been in place for over a week and I have been adding configuration settings to it.  One of the great tools included in this router is the ability to add packages.  In particular one of the packages is SQUID.  A proxy tool that can help monitor web traffic and also speed up performance.

I have used SQUID in the past and know it’s benefits and also issues.  One great benefit is reports on web usage and traffic.   The pfsense implementation also has a package for reporting on squid called lightsquid.  Lightsquid is ok, but not my favorite tool for displaying information.    I would rather use SARG.   So I began to do a few searches and found some outdated information and ways to configure SARG.  From these searches (NOTE: Most of the info below I was able to find from other forum posts)

Install SARG on pfsense

  1. Install the Squid package and have squid running on your firewall
  2. Validate that SQUID is logging (Services | Proxy Server |) – Enable Logging (check) and keep the log store directory “/var/squid/log” squid1
  3. SSH into your firewall
  4. Open a shell
  5. (optional) I added nano as a text editor so I ran this command.
      pkg_add -r ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-8-stable/Latest/nano.tbz
  6. Run the package command to add SARG (this retrieves the latest stable package for freebsd stable branch)
    pkg_add -r ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-8-stable/Latest/sarg.tbz
  7. Now to configure SARG – You can start with the default config
     cd /usr/local/etc/sarg/     
    cp sarg.conf.default sarg.conf      
    nano sarg.conf
  8. I actually created my sample from some other settings.  You can just copy and paste this into sarg.conf if you like
    #Locatoin of log files - from pfsense settings  
    access_log /var/squid/log/access.log     
    title "Squid User Access Reports - SARG"     
    graphs yes   
    graph_days_bytes_bar_color orange     
    #LOCATION of WEB PAGES  
    output_dir /usr/local/www/squid-reports   
    #Display usernames or IP  
    resolve_ip no   
    #Sort Order 
    topuser_sort_field BYTES reverse    
    user_sort_field BYTES reverse
  9.   Run SARG for the first time.  This may take a bit to run depending on your system and how long you have log files for.
     
    cd /usr/local/bin     
    chmod +x sarg
  10.   Configure the system to run the reports once a day using CRON.
    #crontab -e    
    01 * * * *   root /usr/local/bin/sarg
  11. To view the reports you will need to go to a specific url http://<your pfsense box>/snort-reports/

Here are some example reports: (ip’s blocked to protect the innocent )

LANDING PAGE

sarg1

DAILY REPORT

sart2

INDIVIDUAL USERID (IP)

sarg3

GRAPH OF INDIVIDUAL

sarg4

 

I prefer SARG because of the graphs and the look and fee.  Let me know if you have any preference on reporting systems.

8 thoughts on “Pfsense – SARG (squid reports) setup”

  1. Thank you. I’ll have to update the images. It is only my internal block, but good catch.

  2. I used sarg reports and after a few month it been eating 20GB space of my hard drive.!!!

    rm -rf /usr/local/sarg-reports/* Is your friend then 🙂

  3. Hi jimiz

    Just a quick question on your SARG intergration with PFSense

    do you know if its possible to link IP to hostname so your reports show hostnames

    i currently achieve this using AD intergration on a centos box with SARG since we use DHCP its better to pinpoint the hostname that was responsible for the bandwidth use as teh IP’s get reused

    but would like to look at implementing PFSense with this feature

    cheers

  4. hi :

    i like your tuto, but i have a Q … how y redirect my SARG logs … to another pc in windows or another host….because i have to send to my cheeck people …

  5. Squidblacklist.org is the worlds leading publisher of native acl blacklists tailored specifically for Squid proxy, and alternative formats for all major third party plugins as well as many other filtering platforms. Including SquidGuard, DansGuardian, and ufDBGuard, as well as pfSense and more.

    There is room for better blacklists, we intend to fill that gap.

    It would be our pleasure to serve you.

    Signed,

    Benjamin E. Nichols
    http://www.squidblacklist.org

Leave a Comment