Squid format

Greisberger Christophe christophe at greisberger.net
Sun Sep 18 00:41:38 CEST 2005 

Hi,

Sorry to bother you, I have some more questions about lire.

1. How do I configure lire so that it can decode squid logs?
I put the right path to tai64nlocal, but I have following error when I tra to 
create a report:
An error occured: 'time' parameter doesn't match '(?-xism:^\d+$)': 
'1082673216.924' at /usr/share/perl5/Lire/DlfStore.pm:628

Do I have to put something specific in the Import Job settings so that lire 
use tail64nlocal?


2. About syslog reports:
In the Overview Reports, the "Messages Logged by Facility",
   "Messages Logged by Level" and "Warning or Higher Level
   Events" tables are empty.
>  Facility  	Messages  	% Total
>  There is no entries in this table
>  Total for 7442 records 	7442 	100.0
Why? All other are correctly populated.

It's a SuSE syslog
sample:
> Sep 14 00:45:45 www kernel: ll header: 
ff:ff:ff:ff:ff:ff:00:09:5b:f9:05:2a:08:00
> Sep 17 23:30:22 www sshd[25813]: Accepted publickey for wwwrun from x.x.x.x 
port 34612 ssh2
> Sep 14 00:46:00 www /USR/SBIN/CRON[15299]: (root) CMD (xxxxxxxxxxxxxx)
> Sep 14 00:46:13 www kernel: SuSE-FW-ACCEPT IN=eth0 OUT= 
MAC=00:a0:24:cf:51:aa:00:e0:f7:7f:db:bf:08:00 SRC=84.72.205.211 DST=x.x.x.x 
LEN=48 TOS=0x00 PREC=0x00 TTL=120 ID=16022 DF PROTO=TCP SPT=2154 DPT=xxxxx 
WINDOW=65535 RES=0x00 SYN URGP=0 OPT (020405B401010402)


3. Same problem in the firewall reports:
-the "Messages Reports" section has only empty tables.
-the "Volume's Traffic Reports" : also empty tables.
But the "Denied Packets Reports" is correctly populated.
Something to do with the fact that the firewall is generated by the same 
syslog as above?

Here is a sample firewall log:
> Sep 14 00:16:07 www kernel: SuSE-FW-ACCEPT IN=eth0 OUT= 
MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx SRC=84.72.205.211 
DST=xxx.xxx.xxx.xxx LEN=48 TOS=0x00 PREC=0x00 TTL=120 ID=1364 DF PROTO=TCP 
SPT=2146 DPT=xxx WINDOW=65535 RES=0x00 SYN URGP=0 OPT (020405B401010402)
> Sep 14 00:16:08 www kernel: SuSE-FW-ACCEPT IN=eth0 OUT= 
MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx SRC=84.72.205.211 
DST=xxx.xxx.xxx.xxx LEN=48 TOS=0x00 PREC=0x00 TTL=120 ID=1376 DF PROTO=TCP 
SPT=2147 DPT=xxx WINDOW=65535 RES=0x00 SYN URGP=0 OPT (020405B401010402)
> Sep 14 00:17:20 www kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT= 
MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx SRC=83.52.126.20 
DST=xxx.xxx.xxx.xxx LEN=48 TOS=0x00 PREC=0x00 TTL=117 ID=34683 DF PROTO=TCP 
SPT=3659 DPT=xxx WINDOW=16384 RES=0x00 SYN URGP=0 OPT (020405AC01010402)
> Sep 14 00:17:23 www kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT= 
MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx SRC=83.52.126.20 
DST=xxx.xxx.xxx.xxx LEN=48 TOS=0x00 PREC=0x00 TTL=117 ID=34972 DF PROTO=TCP 
SPT=3659 DPT=xxx WINDOW=16384 RES=0x00 SYN URGP=0 OPT (020405AC01010402)
> Sep 14 00:17:52 www kernel: SuSE-FW-ACCEPT IN=eth0 OUT= 
MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx SRC=24.141.131.165 
DST=xxx.xxx.xxx.xxx LEN=48 TOS=0x00 PREC=0x00 TTL=118 ID=58502 DF PROTO=TCP 
SPT=4618 DPT=xxx WINDOW=16384 RES=0x00 SYN URGP=0 OPT (020405B401010402)
> Sep 14 00:17:57 www kernel: SuSE-FW-ACCEPT IN=eth0 OUT= 
MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx SRC=195.135.221.131 
DST=xxx.xxx.xxx.xxx LEN=60 TOS=0x00 PREC=0x00 TTL=57 ID=62218 DF PROTO=TCP 
SPT=4839 DPT=xxx WINDOW=32120 RES=0x00 SYN URGP=0 OPT 
(020405B40402080A538ED2F60000000001030300)

Thanks for your help!

-- 
Christophe Greisberger

-- 
To UNSUBSCRIBE, email to questions-request at logreport.org with a subject of 
"unsubscribe". Trouble? Send an email with subject "help" to 
questions-request at logreport.org

More information about the Questions mailing list