-
Notifications
You must be signed in to change notification settings - Fork 29
/
Squid-proxy.yaml
66 lines (61 loc) · 4.32 KB
/
Squid-proxy.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
name: Squid-proxy
tests:
- 1691514939.857 68 172.16.1.21 TCP_MISS/200 3705 GET http://clientconfig.akamai.steamstatic.com/appinfo/443030/sha/743a4cabc856d443ec7aa581c1434e504577.txt.gz
- HIER_DIRECT/2.19.117.168 application/gzip
- 1691520434.652 108 172.16.1.94 TCP_MISS/200 415 GET http://phantasm.spryfox.com/t?
- HIER_DIRECT/54.197.172.146 application/octet-stream
- 1691520435.471 0 172.16.1.94 TCP_MISS/503 4444 GET http://api.geo.kontagent.net/api/v1/61ce3282d3054e5c9f53bca39c2a0739/pgr/?
- HIER_NONE/- text/html
- 1691522194.949 53 172.16.1.42 TCP_REFRESH_MODIFIED/200 847 GET http://ocsp.digicert.com/ME8wTTBLMEkwRzAHBgUrDgMC4iVCAYlebjbuYP%2Bvq5Eu0GF485AhAM9b0GK1YC9Hq4UCwjzPBm
- HIER_DIRECT/192.229.221.95 application/ocsp-response
- 1691522227.882 30901 172.16.1.23 TCP_TUNNEL/200 27732 CONNECT gateway.icloud.com:443
- HIER_DIRECT/17.250.81.66 -
fieldsToBeRemovedBeforeParsing: []
$schema: https://schemas.humio.com/parser/v0.2.0
script: |-
// Parser for the Squid proxy, http://www.squid-cache.org
// v0.1.0
//
// The purpose of this parser is mainly to facilitate monitoring of access/denied access via a squid proxy.
// Squid logs contain much other information useful when monitoring squid hierarchies which this parser makes little attempt to extract.
// For more information on the squid log format, see:
// http://wiki.squid-cache.org/Features/LogFormat#squid-native-accesslog-format-in-detail
// https://wiki.squid-cache.org/SquidFaq/SquidLogs
regex("(?<@timestamp>\d{10}\.\d{3})\s+(?<duration>\d+)\s+(?<client.ip>\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3})\s+(?<cacheResultCode>\w+)\/(?<http.response.status_code>\d+)\s(?<responseSize>\d+)\s(?<http.request.method>\w+)\s(?<url>.*)\s(?<user.name>\w+|-)\s(?<proxyHierarchy>\w+)\/(?<destination.ip>\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}|-)\s(?<http.response.mime_type>.+)") |
parseTimestamp(field=@timestamp, format=unixtime) |
// LogScale PaSta fields
Vendor:="squid" | logtype:="squid-proxy-log" |
// ECS fields
ecs.version:="8.8.0" |
event.module:="squid-cache" |
event.kind:="event" | event.category:="web" | observer.type:="proxy" |
source.ip:=client.ip |
// If an https request is made, the squid logs don't contain the scheme of the url (https://), and parseurl requires that to correctly parse the url.
// To get around this issue, if url doesn't start with http*, the parser adds a fake scheme (temp://) to the url, parses the url, drops the temporary scheme field and blanks the value of url.scheme.
// if on the other hand the url does start with http*, then all the above shenanigans are not needed and the url is parsed normally.
// most of the fields created by parseurl() conform with ECS fields, except for url.host, which therefore gets renamed.
case {
lower(url) | _lower!="http*" | temp:="temp://" | concat([temp,url], as=temp) | parseurl(temp, as=url) | drop([temp,_lower]) | url.scheme:="";
* | parseurl(url) } |
rename(url.host,as=url.domain) | url.original:=url |
// "source" defined as the device making the request, typically a host with a browser making a request to a web server via squid
// "destination" defined as the device receiving the request, typically a web server receiving a request via squid
// With https data, squid sets up a tunnel using "CONNECT" method. When method=CONNECT it is not possible to know what direction the data transfer is taking
// Other "methods" are logged, unsure whether to extract the data into destination/source bytes
case {
regex("^(GET|HEAD)$", field=http.request.method) | destination.bytes:=responseSize | network.bytes:=responseSize;
regex("^(PUT|POST)$", field=http.request.method) | source.bytes:=responseSize | network.bytes:=responseSize;
regex("^CONNECT$", field=http.request.method) | network.bytes:=responseSize | network.direction:="unknown";
* } |
// logic for setting "event.type" values. There are other cacheResultCode reported by squid, but I'm unsure what values to set for these, so I'm not.
case {
in(cacheResultCode, values=[TCP_DENIED]) | event.type:="denied";
in(cacheResultCode, values=["TCP_TUNNEL*","TCP_MISS*","TCP_REFRESH*","TCP*HIT"]) | event.type:="allowed";
in(cacheResultCode, values=["NONE*"]) | event.type:="error";
* }
tagFields:
- Vendor
- http.response.status_code
- event.type
- cacheResultCode