https://community.splunk.com/t5/Getting-Data-In/value-pair-input-squid-conf/m-p/557646#M92286 <P>Has anyone extracted the value pair squid.conf file to create a list of approve vs block URLs?</P><P>&nbsp;</P><P>Here is sourcetype that I was able to adjust</P><P>CHARSET=UTF-8<BR />DATETIME_CONFIG=CURRENT<BR />SHOULD_LINEMERGE=false<BR />category=Structured<BR />description=A variant of the conf source type, with support for nonexistent timestamps<BR />disabled=false<BR />pulldown_type=true<BR />LINE_BREAKER=([\r\n]+)</P><P>&nbsp;</P><P>Here is the sample input:&nbsp; (masked host and IP for security)</P><P># log_mime_hdrs on</P><P># Turn off caching<BR />cache deny all</P><P># Disable ICMP pinger<BR />pinger_enable off</P><P># Consult local hosts file<BR /># hosts_file /etc/hosts</P><P># Set squid pidfile location<BR />pid_filename /var/run/squid/squid.pid</P><P># Set squid access logging location and use more human-readable format<BR />access_log stdio:/var/log/squid/access_combined.log logformat=combined<BR />access_log daemon:/var/log/squid/access_default.log logformat=squid</P><P># Set cache logging location<BR />cache_log /var/log/squid/cache.log</P><P># Do not allow caching me<BR />F5 BIG-IQ<BR /># Mgmt Self-Outside<BR />acl $masked_host$ src 20.20.30.4/32 160.11.44.56/32 # F5 BIG-IQ<BR />acl $masked_host$ src 20.20.30.132/32 160.11.44.184/32 # F5 BIG-IQ</P><P># External F5<BR /># Mgmt Self-Outside Floating-Outside Self-Inside Floating-Inside<BR />acl $masked_host$ src 160.11.42.8/32 192.160.223.74/32 160.11.42.142/32 # External F5 BIG-IP<BR />acl $masked_host$ src 160.11.43.8/32 192.160.224.74/32 160.11.43.142/32 # External F5 BIG-IP</P><P># External F5<BR /># Mgmt Self-Outside Floating-Outside Self-Inside Floating-Inside<BR />acl $masked_host$ src 160.11.42.4/32 192.160.223.4/32 192.160.223.46/32 160.11.42.132/32 160.11.42.140/32 # External F5 BIG-IP<BR />acl $masked_host$ src 160.11.42.6/32 192.160.223.5/32 192.160.223.46/32 160.11.42.138/32 160.11.42.140/32 # External F5 BIG-IP<BR />acl $masked_host$ src 160.11.43.4/32 192.160.224.4/32 192.160.224.46/32 160.11.43.132/32 160.11.43.140/32 # External F5 BIG-IP<BR />acl $masked_host$ src 160.11.43.6/32 192.160.224.5/32 192.160.224.46/32 160.11.43.138/32 160.11.43.140/32 # External F5 BIG-IP</P> Tue, 29 Jun 2021 17:34:12 GMT youngsuh 2021-06-29T17:34:12Z https://community.splunk.com/t5/Getting-Data-In/value-pair-input-squid-conf/m-p/557646#M92286 <P>Has anyone extracted the value pair squid.conf file to create a list of approve vs block URLs?</P><P>&nbsp;</P><P>Here is sourcetype that I was able to adjust</P><P>CHARSET=UTF-8<BR />DATETIME_CONFIG=CURRENT<BR />SHOULD_LINEMERGE=false<BR />category=Structured<BR />description=A variant of the conf source type, with support for nonexistent timestamps<BR />disabled=false<BR />pulldown_type=true<BR />LINE_BREAKER=([\r\n]+)</P><P>&nbsp;</P><P>Here is the sample input:&nbsp; (masked host and IP for security)</P><P># log_mime_hdrs on</P><P># Turn off caching<BR />cache deny all</P><P># Disable ICMP pinger<BR />pinger_enable off</P><P># Consult local hosts file<BR /># hosts_file /etc/hosts</P><P># Set squid pidfile location<BR />pid_filename /var/run/squid/squid.pid</P><P># Set squid access logging location and use more human-readable format<BR />access_log stdio:/var/log/squid/access_combined.log logformat=combined<BR />access_log daemon:/var/log/squid/access_default.log logformat=squid</P><P># Set cache logging location<BR />cache_log /var/log/squid/cache.log</P><P># Do not allow caching me<BR />F5 BIG-IQ<BR /># Mgmt Self-Outside<BR />acl $masked_host$ src 20.20.30.4/32 160.11.44.56/32 # F5 BIG-IQ<BR />acl $masked_host$ src 20.20.30.132/32 160.11.44.184/32 # F5 BIG-IQ</P><P># External F5<BR /># Mgmt Self-Outside Floating-Outside Self-Inside Floating-Inside<BR />acl $masked_host$ src 160.11.42.8/32 192.160.223.74/32 160.11.42.142/32 # External F5 BIG-IP<BR />acl $masked_host$ src 160.11.43.8/32 192.160.224.74/32 160.11.43.142/32 # External F5 BIG-IP</P><P># External F5<BR /># Mgmt Self-Outside Floating-Outside Self-Inside Floating-Inside<BR />acl $masked_host$ src 160.11.42.4/32 192.160.223.4/32 192.160.223.46/32 160.11.42.132/32 160.11.42.140/32 # External F5 BIG-IP<BR />acl $masked_host$ src 160.11.42.6/32 192.160.223.5/32 192.160.223.46/32 160.11.42.138/32 160.11.42.140/32 # External F5 BIG-IP<BR />acl $masked_host$ src 160.11.43.4/32 192.160.224.4/32 192.160.224.46/32 160.11.43.132/32 160.11.43.140/32 # External F5 BIG-IP<BR />acl $masked_host$ src 160.11.43.6/32 192.160.224.5/32 192.160.224.46/32 160.11.43.138/32 160.11.43.140/32 # External F5 BIG-IP</P> Tue, 29 Jun 2021 17:34:12 GMT https://community.splunk.com/t5/Getting-Data-In/value-pair-input-squid-conf/m-p/557646#M92286 youngsuh 2021-06-29T17:34:12Z https://community.splunk.com/t5/Getting-Data-In/value-pair-input-squid-conf/m-p/563513#M100385 <P>After thinking thru the process.&nbsp; &nbsp;squid.conf would have approve and deny list of traffic in the configuration.&nbsp; So, you would only need a section of .conf file parse instead of trying to parse all the fields.&nbsp; here is the regex used to parse and build the lookup to monitor squid access logs for what's outside the approve and deny traffic.</P><P><SPAN>^acl\s(?P&lt;acl_name&gt;[^.\s]+)\s+\w+\s(?P&lt;dest_domain&gt;[-a-zA-Z0-9@:%._\+~#=]{1,256})</SPAN></P><P><SPAN>Here is the regex101 link:&nbsp;&nbsp;<A href="https://regex101.com/r/EPaTX1/1" target="_blank">https://regex101.com/r/EPaTX1/1</A></SPAN></P> Mon, 16 Aug 2021 19:35:23 GMT https://community.splunk.com/t5/Getting-Data-In/value-pair-input-squid-conf/m-p/563513#M100385 youngsuh 2021-08-16T19:35:23Z