On 05/22/2017 05:56 AM, Ralf Hildebrandt wrote:
> * Alex Rousskov <rousskov@xxxxxxxxxxxxxxxxxxxxxxx>:
>> On 05/20/2017 10:07 AM, Ralf Hildebrandt wrote:
>>> we want to create statistics on how many
>>> clients were "caught" trying to access blocked sites.
>>>
>>> Currently, we're grepping the log for TCP_DENIED in conjunction with the
>>> patterns from the ACLs. [...]
>>> Is there any way around this? Like "tagging" rejects or logging the
>>> ACL that caused the rejection?
>> Yes, append an annotate_transaction ACL with a distinct annotation value
>> to each distinct http_access rule. If you have many such rules, this
>> should be automated, of course.
>>
>> Log the added annotation using %note logformat code.
> How would I add this to this exemplary ACL?
> acl zeustrackerdomain dstdomain "/etc/squid3/generated-zeus-domainblocklist.acl"
> http_access deny zeustrackerdomain
You do not add this to an ACL. You add this to an http_access rule:
acl markZeustrackerdomain annotate_transaction
accessRule=zeustrackerdomain
acl markFoobar annotate_transaction accessRule=foobar
...
http_access deny zeustrackerdomain markZeustrackerdomain
http_access allow foo bar markFoobar
...
logformat ... accessRule=%{accessRule}note ...
> deny_info http://proxy.charite.de/zeusdomain/ zeustrackerdomain
The above deny_info would have to be adjusted to stay in sync:
deny_info http://proxy.charite.de/zeusdomain/ markZeustrackerdomain
HTH,
Alex.
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
