SARG is a free tool that enables you to analyse squid log files while generating reports in HTML format showing informations of all squid users including IP addresses, frequently accessed sites, total bandwidth usage, elapsed time, downloads, access denied websites, daily reports, weekly reports and monthly reports.
The SARG is a handy tool that enables you to viewthe amount of internet bandwidth required by individual machines within a network and analyze watch which websites network users are accessing
The First Step: Installing free Sarg from Source
The package is not part of the RedHat based distributions, so you have to manually compile and set it up from source . You will also require additional packages to be installed on the machine
# vi /usr/local/etc/sarg.conf [On RedHat based systems]
$ sudo nano /etc/sarg/sarg.conf [On Debian based systems]
Now Uncomment and add the original path to your squid access log file.
# sarg.conf # # TAG: access_log file # Where is the access.log file # sarg -l file # access_log /var/log/squid/access.log
create the correct Output directory path twhere generated squid reports will be stored.
# TAG: output_dir # The reports will be saved in that directory # sarg -o dir # output_dir /var/www/html/squid-reports
set the correct time and date
# TAG: date_format # Date format in reports: e (European=dd/mm/yy), u (American=mm/dd/yy), w (Weekly=yy.ww) # date_format e
uncomment override to yes
# TAG: overwrite_report yes|no # yes - if report date already exist then will be overwritten. # no - if report date already exist then will be renamed to filename.n, filename.n+1 # overwrite_report yes
generating SARG report
# sarg -x [On RedHat based systems]
# sudo sarg -x [On Debian based systems]
which will create an output
[root@localhost squid]# sarg -x SARG: Init SARG: Loading configuration from /usr/local/etc/sarg.conf SARG: Deleting temporary directory "/tmp/sarg" SARG: Parameters: SARG: Hostname or IP address (-a) = SARG: Useragent log (-b) = SARG: Exclude file (-c) = SARG: Date from-until (-d) = SARG: Email address to send reports (-e) = SARG: Config file (-f) = /usr/local/etc/sarg.conf SARG: Date format (-g) = USA (mm/dd/yyyy) SARG: IP report (-i) = No SARG: Keep temporary files (-k) = No SARG: Input log (-l) = /var/log/squid/access.log SARG: Resolve IP Address (-n) = No SARG: Output dir (-o) = /var/www/html/squid-reports/ SARG: Use Ip Address instead of userid (-p) = No SARG: Accessed site (-s) = SARG: Time (-t) = SARG: User (-u) = SARG: Temporary dir (-w) = /tmp/sarg SARG: Debug messages (-x) = Yes SARG: Process messages (-z) = No SARG: Previous reports to keep (--lastlog) = 0 SARG: SARG: sarg version: 2.3.7 May-30-2013 SARG: Reading access log file: /var/log/squid/access.log SARG: Records in file: 355859, reading: 100.00% SARG: Records read: 355859, written: 355859, excluded: 0 SARG: Squid log format SARG: Period: 2014 Jan 21 SARG: Sorting log /tmp/sarg/172_16_16_55.user_unsort ......
generated SARG reports can be accessed under the folders ‘/var/www/html/squid-reports/‘ or ‘/var/www/squid-reports/‘
automating SARG in weekly hourly or daily basis can be done by modifying the contrab file using
crontab -e command
and add the following line at the bottom of the file.
* */1 * * * /usr/local/bin/sarg -x