UPDATE – Since writing this pfsense has added a package install of SARG. I recommend an updated tutorial of this post – SARG and Pfsense V2.
Here is a tutorial on how to setup SARG (http://sarg.sourceforge.net/) – Squid Analysis Report Generator on Pfsense. If you don’t know what any of those words meant then here are some references.
- SQUID – (www.squid-cache.org): Squid is a web proxy that can filter traffic from your network to the internet.
- Pfsense – (www.pfsense.org) : PFsense is a free opensource firewall / router for home or office
I have recently setup a Pfsense router / firewall to replace my old “blue plastic” router that was purchased at the big box location. This solution has been working great. It has been in place for over a week and I have been adding configuration settings to it. One of the great tools included in this router is the ability to add packages. In particular one of the packages is SQUID. A proxy tool that can help monitor web traffic and also speed up performance.
I have used SQUID in the past and know it’s benefits and also issues. One great benefit is reports on web usage and traffic. The pfsense implementation also has a package for reporting on squid called lightsquid. Lightsquid is ok, but not my favorite tool for displaying information. I would rather use SARG. So I began to do a few searches and found some outdated information and ways to configure SARG. From these searches (NOTE: Most of the info below I was able to find from other forum posts)
Install SARG on pfsense
- Install the Squid package and have squid running on your firewall
- Validate that SQUID is logging (Services | Proxy Server |) – Enable Logging (check) and keep the log store directory “/var/squid/log”
- SSH into your firewall
- Open a shell
- (optional) I added nano as a text editor so I ran this command.
pkg_add -r ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-8-stable/Latest/nano.tbz
- Run the package command to add SARG (this retrieves the latest stable package for freebsd stable branch)
pkg_add -r ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-8-stable/Latest/sarg.tbz
- Now to configure SARG – You can start with the default config
cd /usr/local/etc/sarg/ cp sarg.conf.default sarg.conf nano sarg.conf
- I actually created my sample from some other settings. You can just copy and paste this into sarg.conf if you like
#Locatoin of log files - from pfsense settings access_log /var/squid/log/access.log title "Squid User Access Reports - SARG" graphs yes graph_days_bytes_bar_color orange #LOCATION of WEB PAGES output_dir /usr/local/www/squid-reports #Display usernames or IP resolve_ip no #Sort Order topuser_sort_field BYTES reverse user_sort_field BYTES reverse
- Run SARG for the first time. This may take a bit to run depending on your system and how long you have log files for.
cd /usr/local/bin chmod +x sarg
- Configure the system to run the reports once a day using CRON.
#crontab -e 01 * * * * root /usr/local/bin/sarg
- To view the reports you will need to go to a specific url http://<your pfsense box>/snort-reports/
Here are some example reports: (ip’s blocked to protect the innocent )
LANDING PAGE
DAILY REPORT
INDIVIDUAL USERID (IP)
GRAPH OF INDIVIDUAL
I prefer SARG because of the graphs and the look and fee. Let me know if you have any preference on reporting systems.
ip isn’t blocked on picture “DAILY REPORT”
sorry, on “INDIVIDUAL USERID (IP)”
Thank you. I’ll have to update the images. It is only my internal block, but good catch.
I used sarg reports and after a few month it been eating 20GB space of my hard drive.!!!
rm -rf /usr/local/sarg-reports/* Is your friend then 🙂
Hi jimiz
Just a quick question on your SARG intergration with PFSense
do you know if its possible to link IP to hostname so your reports show hostnames
i currently achieve this using AD intergration on a centos box with SARG since we use DHCP its better to pinpoint the hostname that was responsible for the bandwidth use as teh IP’s get reused
but would like to look at implementing PFSense with this feature
cheers
hi :
i like your tuto, but i have a Q … how y redirect my SARG logs … to another pc in windows or another host….because i have to send to my cheeck people …
Squidblacklist.org is the worlds leading publisher of native acl blacklists tailored specifically for Squid proxy, and alternative formats for all major third party plugins as well as many other filtering platforms. Including SquidGuard, DansGuardian, and ufDBGuard, as well as pfSense and more.
There is room for better blacklists, we intend to fill that gap.
It would be our pleasure to serve you.
Signed,
Benjamin E. Nichols
http://www.squidblacklist.org