Getting Data In

value pair input squid.conf

youngsuh
Contributor

Has anyone extracted the value pair squid.conf file to create a list of approve vs block URLs?

 

Here is sourcetype that I was able to adjust

CHARSET=UTF-8
DATETIME_CONFIG=CURRENT
SHOULD_LINEMERGE=false
category=Structured
description=A variant of the conf source type, with support for nonexistent timestamps
disabled=false
pulldown_type=true
LINE_BREAKER=([\r\n]+)

 

Here is the sample input:  (masked host and IP for security)

# log_mime_hdrs on

# Turn off caching
cache deny all

# Disable ICMP pinger
pinger_enable off

# Consult local hosts file
# hosts_file /etc/hosts

# Set squid pidfile location
pid_filename /var/run/squid/squid.pid

# Set squid access logging location and use more human-readable format
access_log stdio:/var/log/squid/access_combined.log logformat=combined
access_log daemon:/var/log/squid/access_default.log logformat=squid

# Set cache logging location
cache_log /var/log/squid/cache.log

# Do not allow caching me
F5 BIG-IQ
# Mgmt Self-Outside
acl $masked_host$ src 20.20.30.4/32 160.11.44.56/32 # F5 BIG-IQ
acl $masked_host$ src 20.20.30.132/32 160.11.44.184/32 # F5 BIG-IQ

# External F5
# Mgmt Self-Outside Floating-Outside Self-Inside Floating-Inside
acl $masked_host$ src 160.11.42.8/32 192.160.223.74/32 160.11.42.142/32 # External F5 BIG-IP
acl $masked_host$ src 160.11.43.8/32 192.160.224.74/32 160.11.43.142/32 # External F5 BIG-IP

# External F5
# Mgmt Self-Outside Floating-Outside Self-Inside Floating-Inside
acl $masked_host$ src 160.11.42.4/32 192.160.223.4/32 192.160.223.46/32 160.11.42.132/32 160.11.42.140/32 # External F5 BIG-IP
acl $masked_host$ src 160.11.42.6/32 192.160.223.5/32 192.160.223.46/32 160.11.42.138/32 160.11.42.140/32 # External F5 BIG-IP
acl $masked_host$ src 160.11.43.4/32 192.160.224.4/32 192.160.224.46/32 160.11.43.132/32 160.11.43.140/32 # External F5 BIG-IP
acl $masked_host$ src 160.11.43.6/32 192.160.224.5/32 192.160.224.46/32 160.11.43.138/32 160.11.43.140/32 # External F5 BIG-IP

Tags (1)
0 Karma
1 Solution

youngsuh
Contributor

After thinking thru the process.   squid.conf would have approve and deny list of traffic in the configuration.  So, you would only need a section of .conf file parse instead of trying to parse all the fields.  here is the regex used to parse and build the lookup to monitor squid access logs for what's outside the approve and deny traffic.

^acl\s(?P<acl_name>[^.\s]+)\s+\w+\s(?P<dest_domain>[-a-zA-Z0-9@:%._\+~#=]{1,256})

Here is the regex101 link:  https://regex101.com/r/EPaTX1/1

View solution in original post

Tags (2)
0 Karma

youngsuh
Contributor

After thinking thru the process.   squid.conf would have approve and deny list of traffic in the configuration.  So, you would only need a section of .conf file parse instead of trying to parse all the fields.  here is the regex used to parse and build the lookup to monitor squid access logs for what's outside the approve and deny traffic.

^acl\s(?P<acl_name>[^.\s]+)\s+\w+\s(?P<dest_domain>[-a-zA-Z0-9@:%._\+~#=]{1,256})

Here is the regex101 link:  https://regex101.com/r/EPaTX1/1

Tags (2)
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...