Getting Data In

value pair input squid.conf

youngsuh
Contributor

Has anyone extracted the value pair squid.conf file to create a list of approve vs block URLs?

 

Here is sourcetype that I was able to adjust

CHARSET=UTF-8
DATETIME_CONFIG=CURRENT
SHOULD_LINEMERGE=false
category=Structured
description=A variant of the conf source type, with support for nonexistent timestamps
disabled=false
pulldown_type=true
LINE_BREAKER=([\r\n]+)

 

Here is the sample input:  (masked host and IP for security)

# log_mime_hdrs on

# Turn off caching
cache deny all

# Disable ICMP pinger
pinger_enable off

# Consult local hosts file
# hosts_file /etc/hosts

# Set squid pidfile location
pid_filename /var/run/squid/squid.pid

# Set squid access logging location and use more human-readable format
access_log stdio:/var/log/squid/access_combined.log logformat=combined
access_log daemon:/var/log/squid/access_default.log logformat=squid

# Set cache logging location
cache_log /var/log/squid/cache.log

# Do not allow caching me
F5 BIG-IQ
# Mgmt Self-Outside
acl $masked_host$ src 20.20.30.4/32 160.11.44.56/32 # F5 BIG-IQ
acl $masked_host$ src 20.20.30.132/32 160.11.44.184/32 # F5 BIG-IQ

# External F5
# Mgmt Self-Outside Floating-Outside Self-Inside Floating-Inside
acl $masked_host$ src 160.11.42.8/32 192.160.223.74/32 160.11.42.142/32 # External F5 BIG-IP
acl $masked_host$ src 160.11.43.8/32 192.160.224.74/32 160.11.43.142/32 # External F5 BIG-IP

# External F5
# Mgmt Self-Outside Floating-Outside Self-Inside Floating-Inside
acl $masked_host$ src 160.11.42.4/32 192.160.223.4/32 192.160.223.46/32 160.11.42.132/32 160.11.42.140/32 # External F5 BIG-IP
acl $masked_host$ src 160.11.42.6/32 192.160.223.5/32 192.160.223.46/32 160.11.42.138/32 160.11.42.140/32 # External F5 BIG-IP
acl $masked_host$ src 160.11.43.4/32 192.160.224.4/32 192.160.224.46/32 160.11.43.132/32 160.11.43.140/32 # External F5 BIG-IP
acl $masked_host$ src 160.11.43.6/32 192.160.224.5/32 192.160.224.46/32 160.11.43.138/32 160.11.43.140/32 # External F5 BIG-IP

Tags (1)
0 Karma
1 Solution

youngsuh
Contributor

After thinking thru the process.   squid.conf would have approve and deny list of traffic in the configuration.  So, you would only need a section of .conf file parse instead of trying to parse all the fields.  here is the regex used to parse and build the lookup to monitor squid access logs for what's outside the approve and deny traffic.

^acl\s(?P<acl_name>[^.\s]+)\s+\w+\s(?P<dest_domain>[-a-zA-Z0-9@:%._\+~#=]{1,256})

Here is the regex101 link:  https://regex101.com/r/EPaTX1/1

View solution in original post

Tags (2)
0 Karma

youngsuh
Contributor

After thinking thru the process.   squid.conf would have approve and deny list of traffic in the configuration.  So, you would only need a section of .conf file parse instead of trying to parse all the fields.  here is the regex used to parse and build the lookup to monitor squid access logs for what's outside the approve and deny traffic.

^acl\s(?P<acl_name>[^.\s]+)\s+\w+\s(?P<dest_domain>[-a-zA-Z0-9@:%._\+~#=]{1,256})

Here is the regex101 link:  https://regex101.com/r/EPaTX1/1

Tags (2)
0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...