How to Monitor Squid3 Traffic using SARG in Ubuntu

I’ve installed proxy server using Squid3 on my Ubuntu. Now I want to know “where” my users are going to on the Internet. Therefore we need SARGSquid Analysis Report Generator is a tool that allow you to view many informations about Squid users activities: times, bytes, sites, etc.

First, we need to install Sarg and some web server, I’m using Apache2 here.

sudo apt-get install sarg apache2

Before we messed up with Sarg configuration, we need to make a backup file for sarg.conf.

sudo cp /etc/sarg/sarg.conf /etc/sarg/sarg.conf.old

Next thing we gonna do is simplified the sarg.conf. This step is optional. It just make you easier to read the sarg.conf file.

sudo cat /etc/sarg/sarg.conf.old | grep -v ^# | grep -v ^$ > /etc/sarg/sarg.conf

Here’s my sarg.conf file. You can copy paste it if you want, but make sure to adjust the value of the bold lines. If you are not using Squid3, the common location for the access_log is /var/log/squid/access.log.

language English
access_log /var/log/squid3/access.log
title "Squid User Access Reports"
font_face Tahoma,Verdana,Arial
header_color darkblue
header_bgcolor blanchedalmond
font_size 9px
background_color white
text_color #000000
text_bgcolor lavender
title_color green
temporary_dir /tmp
output_dir /var/lib/sarg
resolve_ip 
user_ip no
topuser_sort_field BYTES reverse
user_sort_field BYTES reverse
exclude_users /etc/sarg/exclude_users
exclude_hosts /etc/sarg/exclude_hosts
date_format u
lastlog 0
remove_temp_files yes
index yes
index_tree file
overwrite_report yes
records_without_userid ip
use_comma yes
mail_utility mailx
topsites_num 100
topsites_sort_order CONNECT D
index_sort_order D
exclude_codes /etc/sarg/exclude_codes
max_elapsed 28800000
report_type topusers topsites sites_users users_sites date_time denied auth_failures site_user_time_date downloads
usertab /etc/sarg/usertab
long_url no
date_time_by bytes
charset Latin1
show_successful_message no
show_read_statistics no
topuser_fields NUM DATE_TIME USERID CONNECT BYTES %BYTES IN-CACHE-OUT USED_TIME MILISEC %TIME TOTAL AVERAGE
user_report_fields CONNECT BYTES %BYTES IN-CACHE-OUT USED_TIME MILISEC %TIME TOTAL AVERAGE
topuser_num 0
download_suffix "zip,arj,bzip,gz,ace,doc,iso,adt,bin,cab,com,dot,drv$,lha,lzh,mdb,mso,ppt,rtf,src,shs,sys,exe,dll,mp3,avi,mpg,mpeg,pdf,tar,rar,docx,pptx,xlsx,chm,flv,mp4,mkv,bz2,deb"

The Sarg configuration is done. Now we need to create a symbolic link of Sarg output directory to our /var/www/ directory.

sudo ln -sv /var/lib/sarg/ /var/www/

Now it’s time to try running Sarg manually.

sudo sarg-reports today

Open your web browser, and go to http://localhost/sarg/. Make sure you have your web server running.

Next, we need to make sure that Sarg cron job will run before Squid3 logrotate.

sudo mv /etc/cron.daily/sarg /etc/cron.daily/ksarg

Normally, Sarg is executed daily, weekly and monthly. But I wanna see the report updated every 5 minutes. So we need to create a new cron job.

sudo crontab -e

Insert this line with a simple copy and paste:

*/5 * * * * /usr/sbin/sarg-reports today > /dev/null 2>&1

Save and exit from the crontab editor.

That’s all folks. Hope it helps.