- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- value pair input squid.conf
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Has anyone extracted the value pair squid.conf file to create a list of approve vs block URLs?
Here is sourcetype that I was able to adjust
CHARSET=UTF-8
DATETIME_CONFIG=CURRENT
SHOULD_LINEMERGE=false
category=Structured
description=A variant of the conf source type, with support for nonexistent timestamps
disabled=false
pulldown_type=true
LINE_BREAKER=([\r\n]+)
Here is the sample input: (masked host and IP for security)
# log_mime_hdrs on
# Turn off caching
cache deny all
# Disable ICMP pinger
pinger_enable off
# Consult local hosts file
# hosts_file /etc/hosts
# Set squid pidfile location
pid_filename /var/run/squid/squid.pid
# Set squid access logging location and use more human-readable format
access_log stdio:/var/log/squid/access_combined.log logformat=combined
access_log daemon:/var/log/squid/access_default.log logformat=squid
# Set cache logging location
cache_log /var/log/squid/cache.log
# Do not allow caching me
F5 BIG-IQ
# Mgmt Self-Outside
acl $masked_host$ src 20.20.30.4/32 160.11.44.56/32 # F5 BIG-IQ
acl $masked_host$ src 20.20.30.132/32 160.11.44.184/32 # F5 BIG-IQ
# External F5
# Mgmt Self-Outside Floating-Outside Self-Inside Floating-Inside
acl $masked_host$ src 160.11.42.8/32 192.160.223.74/32 160.11.42.142/32 # External F5 BIG-IP
acl $masked_host$ src 160.11.43.8/32 192.160.224.74/32 160.11.43.142/32 # External F5 BIG-IP
# External F5
# Mgmt Self-Outside Floating-Outside Self-Inside Floating-Inside
acl $masked_host$ src 160.11.42.4/32 192.160.223.4/32 192.160.223.46/32 160.11.42.132/32 160.11.42.140/32 # External F5 BIG-IP
acl $masked_host$ src 160.11.42.6/32 192.160.223.5/32 192.160.223.46/32 160.11.42.138/32 160.11.42.140/32 # External F5 BIG-IP
acl $masked_host$ src 160.11.43.4/32 192.160.224.4/32 192.160.224.46/32 160.11.43.132/32 160.11.43.140/32 # External F5 BIG-IP
acl $masked_host$ src 160.11.43.6/32 192.160.224.5/32 192.160.224.46/32 160.11.43.138/32 160.11.43.140/32 # External F5 BIG-IP
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
After thinking thru the process. squid.conf would have approve and deny list of traffic in the configuration. So, you would only need a section of .conf file parse instead of trying to parse all the fields. here is the regex used to parse and build the lookup to monitor squid access logs for what's outside the approve and deny traffic.
^acl\s(?P<acl_name>[^.\s]+)\s+\w+\s(?P<dest_domain>[-a-zA-Z0-9@:%._\+~#=]{1,256})
Here is the regex101 link: https://regex101.com/r/EPaTX1/1
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
After thinking thru the process. squid.conf would have approve and deny list of traffic in the configuration. So, you would only need a section of .conf file parse instead of trying to parse all the fields. here is the regex used to parse and build the lookup to monitor squid access logs for what's outside the approve and deny traffic.
^acl\s(?P<acl_name>[^.\s]+)\s+\w+\s(?P<dest_domain>[-a-zA-Z0-9@:%._\+~#=]{1,256})
Here is the regex101 link: https://regex101.com/r/EPaTX1/1
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
