Pfsense – SARG (squid reports) setup

Number of Views : 21967

sarg1UPDATE – Since writing this pfsense has added a package install of SARG.   I recommend an updated tutorial of this post –  SARG and Pfsense V2.

Here is a tutorial on how to setup SARG (http://sarg.sourceforge.net/) – Squid Analysis Report Generator on Pfsense.   If you don’t know what any of those words meant then here are some references.

  • SQUID – (www.squid-cache.org): Squid is a web proxy that can filter traffic from your network to the internet.
  • Pfsense – (www.pfsense.org) : PFsense is a free opensource firewall / router for home or office

I have recently setup a Pfsense router / firewall to replace my old “blue plastic” router that was purchased at the big box location.   This solution has been working great.  It has been in place for over a week and I have been adding configuration settings to it.  One of the great tools included in this router is the ability to add packages.  In particular one of the packages is SQUID.  A proxy tool that can help monitor web traffic and also speed up performance.

I have used SQUID in the past and know it’s benefits and also issues.  One great benefit is reports on web usage and traffic.   The pfsense implementation also has a package for reporting on squid called lightsquid.  Lightsquid is ok, but not my favorite tool for displaying information.    I would rather use SARG.   So I began to do a few searches and found some outdated information and ways to configure SARG.  From these searches (NOTE: Most of the info below I was able to find from other forum posts)

Install SARG on pfsense

  1. Install the Squid package and have squid running on your firewall
  2. Validate that SQUID is logging (Services | Proxy Server |) – Enable Logging (check) and keep the log store directory “/var/squid/log” squid1
  3. SSH into your firewall
  4. Open a shell
  5. (optional) I added nano as a text editor so I ran this command.
      pkg_add -r ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-8-stable/Latest/nano.tbz
  6. Run the package command to add SARG (this retrieves the latest stable package for freebsd stable branch)
    pkg_add -r ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-8-stable/Latest/sarg.tbz
  7. Now to configure SARG – You can start with the default config
     cd /usr/local/etc/sarg/     
    cp sarg.conf.default sarg.conf      
    nano sarg.conf
  8. I actually created my sample from some other settings.  You can just copy and paste this into sarg.conf if you like
    #Locatoin of log files - from pfsense settings  
    access_log /var/squid/log/access.log     
    title "Squid User Access Reports - SARG"     
    graphs yes   
    graph_days_bytes_bar_color orange     
    #LOCATION of WEB PAGES  
    output_dir /usr/local/www/squid-reports   
    #Display usernames or IP  
    resolve_ip no   
    #Sort Order 
    topuser_sort_field BYTES reverse    
    user_sort_field BYTES reverse
  9.   Run SARG for the first time.  This may take a bit to run depending on your system and how long you have log files for.
     
    cd /usr/local/bin     
    chmod +x sarg
  10.   Configure the system to run the reports once a day using CRON.
    #crontab -e    
    01 * * * *   root /usr/local/bin/sarg
  11. To view the reports you will need to go to a specific url http://<your pfsense box>/snort-reports/

Here are some example reports: (ip’s blocked to protect the innocent )

LANDING PAGE

sarg1

DAILY REPORT

sart2

INDIVIDUAL USERID (IP)

sarg3

GRAPH OF INDIVIDUAL

sarg4

 

I prefer SARG because of the graphs and the look and fee.  Let me know if you have any preference on reporting systems.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>