NoBlueScreens.com ™

Using SARG
Squid Analysis Report Generator (FreeBSD 5.4)

Posted 15.01.2007 | Updated 16.01.2007 | Contributed by Andy Mallett

So you've installed the Squid Web Proxy service and now you're looking for something to view Squid's somewhat texty reports with.

Enter SARG, a slightly obscure but reasonably featured report analysis tool. Just the ticket for making those reports pretty and easy to read.

Installation is a no-brainer and there's bugger-all config either. And of course, it's freeeee!

Prerequisites

Squid. Oh, and Apache/PHP.

Obtaining SARG

Download SARG from sourceforge.net or sarg-2.2.3.1.tar.gz from the ever-generous NoBlueScreens archives (626KB).

Installation

In the following example, the SARG tarball sarg-2.2.3.1.tar.gz has been downloaded to the /src directory. Modify these instructions if your circumstances differ..

cd /src
tar -zxvf sarg-2.2.3.1.tar.gz
cd sarg-2.2.3.1
./configure
make
make install

If the above is not clear, see Installing Stuff. The completed install will be under /usr/local/sarg, surprise surprise.

Configuration

None required. Defaults work fine.

SARG will read the Squid logs and burp out a web page into /var/www/html/squid-reports/. Just make a symlink from here to your Apache public directory..

ln -s /var/www/html/squid-reports /usr/local/apache/htdocs/squid-reports

Thus SARG's compact little display will be sitting at http://yourwebserver.net/squid-reports. Bookmark it ready for when the CEO calls you into his office to hunt down some internet crim's.

Running SARG

This part's a bit weird because although you can access the SARG report from any web browser which can see the web server, you've got to ssh into the server itself to run the report convertion process..

cd /usr/local/sarg
sarg -h - brings up a concise help screen. Self-explanatory really..
sarg - on its own creates a new report and tells you where it is.

Just refresh the page at http://yourwebserver.net/squid-reports. Actually watch that, as every time a new report is generated, the previous report list may still be cached and may need a browser refresh to update to the new report. How's that for a bit of irony.

Tweaking it

If you don't want to ssh into the Squid box to run SARG every time you need a Squid/SARG report, you could use Webmin or alternatively create a Cron job to create regular reports for later perusal.

Just the thing for collaring those recalcitrant ebay-addicted staff members who spend half their time surfing the net at the firm's expense or the odd obsessed monkey-spanker who just can't stay away from the on-line delights of toplessbrainsurgeons.com.

Links & References

sarg.sourceforge.net
The 100 Worst Porn Movie Titles