Hi Chris - and many many thanks...
See also below.
/path/to/sarg -l /var/log/squid/access.log -l
/var/log/squid/access.log.1 -l /var/log/squid/access.log.2.gz
will parse the data from access.log, access.log.1 and (after
gunzipping) access.log.2.gz, and will give you one report for the time
covered by these log files.
Great. That is exactly what I wanted - but haven't found it in any
documentation so far.
What i want to do is produce a report that shows me:
Which clients visited which sites between (say) 18:00 and 19:00.
Maybe this is possible with sarg - but if so I haven't found it.
You have two choices with SARG.
The first is the simplest, but might not meet your needs. Make sure
in your sarg.conf file the "report_type" directive includes
"users_sites" and "date_time" and/or "site_user_time_date". The first
will give you a listing of the sites each username/IP accessed. The
second, will show bandwidth usage per hour for each username/IP
(linked from the main report). The third will give you a listing of
the times an individual accessed a specific website (linked from the
users_sites report).
I have checked that these "report_types" are enabled - and can find most
of what you are talking about except the one I really want. The thing
you describe as the "second" above is exactly what I want - but:
The date-time reports I get don't seem to be exactly what you describe.
If I go to the main page, then click on the most recent report I get a
list of client IP addresses.
If I click on the "Date-Time" icon near the left of each row - I get an
array with hours across and dates down. Each cell contains what appears
to be an "elapsed time". I don't really understand what this time means
- but it doesn't appear to be the Bandwidth used during that hour.
Am I in the wrong place - or am I misunderstanding something? Either way
- what do these "times" mean?
Your second option is to create a report just covering a specific time
period. The following hourly cron job does this:
#!/bin/bash
#Get current date
TODAY=$(date +%d/%m/%Y)
LASTHOUR=$(date +%H -d "1 hour ago")
HOUR=$(date +%H)
/bin/touch /path/to/web/squid-reports/images
# Be careful with this next line, as it recursively removes any files
modified more
# than 30 minutes ago in the path given!
/usr/bin/find /path/to/web/squid-reports -type d -cmin +30 -exec rm
-rf {} \;
/usr/bin/sarg -d $TODAY-$TODAY -t $LASTHOUR:00-$HOUR:00
Many thanks for this. If I can't find what I'm looking for in the first
suggestion above - then I will give this a try. The earlier option
should work with my historical data - whereas - this cron job will only
provide reports on new data. I did try using sarg with the -t option at
one stage - and it didn't seem to follow the -t directive - but perhaps
there was a problem with my syntax. I might have left the :00 off the times.
Tanks Chris
Richard.