UPDATE – Since writing this pfsense has added a package install of SARG. I recommend an updated tutorial of this post – SARG and Pfsense V2.
Here is a tutorial on how to setup SARG (http://sarg.sourceforge.net/) – Squid Analysis Report Generator on Pfsense. If you don’t know what any of those words meant then here are some references.
- SQUID – (www.squid-cache.org): Squid is a web proxy that can filter traffic from your network to the internet.
- Pfsense – (www.pfsense.org) : PFsense is a free opensource firewall / router for home or office
I have recently setup a Pfsense router / firewall to replace my old “blue plastic” router that was purchased at the big box location. This solution has been working great. It has been in place for over a week and I have been adding configuration settings to it. One of the great tools included in this router is the ability to add packages. In particular one of the packages is SQUID. A proxy tool that can help monitor web traffic and also speed up performance.
I have used SQUID in the past and know it’s benefits and also issues. One great benefit is reports on web usage and traffic. The pfsense implementation also has a package for reporting on squid called lightsquid. Lightsquid is ok, but not my favorite tool for displaying information. I would rather use SARG. So I began to do a few searches and found some outdated information and ways to configure SARG. From these searches (NOTE: Most of the info below I was able to find from other forum posts)
Install SARG on pfsense
- Install the Squid package and have squid running on your firewall
- Validate that SQUID is logging (Services | Proxy Server |) – Enable Logging (check) and keep the log store directory “/var/squid/log”
- SSH into your firewall
- Open a shell
- (optional) I added nano as a text editor so I ran this command.
pkg_add -r ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-8-stable/Latest/nano.tbz
- Run the package command to add SARG (this retrieves the latest stable package for freebsd stable branch)
pkg_add -r ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-8-stable/Latest/sarg.tbz
- Now to configure SARG – You can start with the default config
cd /usr/local/etc/sarg/ cp sarg.conf.default sarg.conf nano sarg.conf
- I actually created my sample from some other settings. You can just copy and paste this into sarg.conf if you like
#Locatoin of log files - from pfsense settings access_log /var/squid/log/access.log title "Squid User Access Reports - SARG" graphs yes graph_days_bytes_bar_color orange #LOCATION of WEB PAGES output_dir /usr/local/www/squid-reports #Display usernames or IP resolve_ip no #Sort Order topuser_sort_field BYTES reverse user_sort_field BYTES reverse
- Run SARG for the first time. This may take a bit to run depending on your system and how long you have log files for.
cd /usr/local/bin chmod +x sarg
- Configure the system to run the reports once a day using CRON.
#crontab -e 01 * * * * root /usr/local/bin/sarg
- To view the reports you will need to go to a specific url http://<your pfsense box>/snort-reports/
Here are some example reports: (ip’s blocked to protect the innocent )
INDIVIDUAL USERID (IP)
GRAPH OF INDIVIDUAL
I prefer SARG because of the graphs and the look and fee. Let me know if you have any preference on reporting systems.