Getting Data In

value pair input squid.conf

youngsuh
Contributor

Has anyone extracted the value pair squid.conf file to create a list of approve vs block URLs?

 

Here is sourcetype that I was able to adjust

CHARSET=UTF-8
DATETIME_CONFIG=CURRENT
SHOULD_LINEMERGE=false
category=Structured
description=A variant of the conf source type, with support for nonexistent timestamps
disabled=false
pulldown_type=true
LINE_BREAKER=([\r\n]+)

 

Here is the sample input:  (masked host and IP for security)

# log_mime_hdrs on

# Turn off caching
cache deny all

# Disable ICMP pinger
pinger_enable off

# Consult local hosts file
# hosts_file /etc/hosts

# Set squid pidfile location
pid_filename /var/run/squid/squid.pid

# Set squid access logging location and use more human-readable format
access_log stdio:/var/log/squid/access_combined.log logformat=combined
access_log daemon:/var/log/squid/access_default.log logformat=squid

# Set cache logging location
cache_log /var/log/squid/cache.log

# Do not allow caching me
F5 BIG-IQ
# Mgmt Self-Outside
acl $masked_host$ src 20.20.30.4/32 160.11.44.56/32 # F5 BIG-IQ
acl $masked_host$ src 20.20.30.132/32 160.11.44.184/32 # F5 BIG-IQ

# External F5
# Mgmt Self-Outside Floating-Outside Self-Inside Floating-Inside
acl $masked_host$ src 160.11.42.8/32 192.160.223.74/32 160.11.42.142/32 # External F5 BIG-IP
acl $masked_host$ src 160.11.43.8/32 192.160.224.74/32 160.11.43.142/32 # External F5 BIG-IP

# External F5
# Mgmt Self-Outside Floating-Outside Self-Inside Floating-Inside
acl $masked_host$ src 160.11.42.4/32 192.160.223.4/32 192.160.223.46/32 160.11.42.132/32 160.11.42.140/32 # External F5 BIG-IP
acl $masked_host$ src 160.11.42.6/32 192.160.223.5/32 192.160.223.46/32 160.11.42.138/32 160.11.42.140/32 # External F5 BIG-IP
acl $masked_host$ src 160.11.43.4/32 192.160.224.4/32 192.160.224.46/32 160.11.43.132/32 160.11.43.140/32 # External F5 BIG-IP
acl $masked_host$ src 160.11.43.6/32 192.160.224.5/32 192.160.224.46/32 160.11.43.138/32 160.11.43.140/32 # External F5 BIG-IP

Tags (1)
0 Karma
1 Solution

youngsuh
Contributor

After thinking thru the process.   squid.conf would have approve and deny list of traffic in the configuration.  So, you would only need a section of .conf file parse instead of trying to parse all the fields.  here is the regex used to parse and build the lookup to monitor squid access logs for what's outside the approve and deny traffic.

^acl\s(?P<acl_name>[^.\s]+)\s+\w+\s(?P<dest_domain>[-a-zA-Z0-9@:%._\+~#=]{1,256})

Here is the regex101 link:  https://regex101.com/r/EPaTX1/1

View solution in original post

Tags (2)
0 Karma

youngsuh
Contributor

After thinking thru the process.   squid.conf would have approve and deny list of traffic in the configuration.  So, you would only need a section of .conf file parse instead of trying to parse all the fields.  here is the regex used to parse and build the lookup to monitor squid access logs for what's outside the approve and deny traffic.

^acl\s(?P<acl_name>[^.\s]+)\s+\w+\s(?P<dest_domain>[-a-zA-Z0-9@:%._\+~#=]{1,256})

Here is the regex101 link:  https://regex101.com/r/EPaTX1/1

Tags (2)
0 Karma
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Laser Bananas and Edge Hubs: Exploring Operational Technology (OT) Data Through a ...

  OT is a different environment to traditional IT and can have interesting challenges when interfacing the ...

Event Series: Mastering AI Tokenomics and Splunk Agent Observability

Beyond the Black Box: Correlating AI Performance and Tokenomics with Splunk Agent Observability   As ...

span_metrics: The OpenTelemetry-Idiomatic Way to See Inside Your Services

You open a trace in Splunk Observability Cloud and everything looks fine. One root span, order-pipeline, with ...