Hello,
Bellow is the message that I retrieve from logstash. We use logstash as our logging system. Now, I do add tags to log messages in log stash. I believe the %st is my size right?
Apr 14 01:31:13 Proxy-SI-1 (squid-2): Proxy-SI-1 1460611873.853 0 2 10.88.14.225 TCP_DENIED_ABORTED 301 2147480505 535 2147479970 POST 1.0 text/html - - - - 3128 - [Mozilla/4.0 (compatible; MSIE 5.5; Win32)] [-] sq_err:[301 Access Denied] c_hdr:[Accept: */*\r\nContent-Type: application/octet-stream\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Win32)\r\nUserAgent: blugro3relay.groove.microsoft.com\r\nContent-Length: 2147479552\r\nPragma: no-cache\r\nCache-Control: no-cache\r\nExpires: 0\r\nCache-Control: max-age=0\r\n] s_hdr:[HTTP/1.1 301 Moved Permanently\r\nServer: squid/3.4.13\r\nMime-Version: 1.0\r\nDate: Thu, 14 Apr 2016 05:31:13 GMT\r\nContent-Type: text/html\r\nContent-Length: 0\r\nLocation: http://blockmessage.palmbeach.k12.fl.us/block_message.php?clientaddr=10.88.14.225&clientname=-&clientuser=-&clientgroup=SDPBC-Network&targetgroup=Blacklist&url="">\r\nX-Squid-Error: 301 Access Denied\r\n\r]
logformat custom Proxy-SI-1 %ts.%tu %dt %tr %>a %Ss %03Hs %st %<st %>st %rm %rv %mt %[un %<A %<a %<p %>lp %{Referer}>h [%{User-Agent}>h\
] [%{Host}>h] sq_err:[%{X-Squid-Error}<h] c_hdr:[%>h] s_hdr:[%<h]
On Fri, Apr 15, 2016 at 12:57 AM, Jason Haar <jason_haar@xxxxxxxxxxx> wrote:
If you are blocking it, then it can't be uploading 2G? How are you measuring that it uploads 2G? Did you change squid's logging to support that (it doesn't log upload sizes - only download sizes by default). Are you simply referring to the Content-Length header - as that would say 2G - even if the upload is then blocked.On Fri, Apr 15, 2016 at 4:04 PM, Michael Pelletier <michael.pelletier@xxxxxxxxxxxxxxxxxxxx> wrote:I am blocking grove.microsoft.com. Even though I am blocking it, I am seeing large, 2 Gig, uploads from the client to the proxy (which indeed blocks it). It is almost like the connection request (explicit) contains the 2 gig post request. Why is this happening? Has anyone seen this?Michael
Disclaimer: Under Florida law, e-mail addresses are public records. If you do not want your e-mail address released in response to a public records request, do not send electronic mail to this entity. Instead, contact this office by phone or in writing.
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
--CheersJason HaarInformation Security Manager, Trimble Navigation Ltd.Phone: +1 408 481 8171PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
Disclaimer: Under Florida law, e-mail addresses are public records. If you do not want your e-mail address released in response to a public records request, do not send electronic mail to this entity. Instead, contact this office by phone or in writing.
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
