{"id":3104,"date":"2019-05-26T20:47:02","date_gmt":"2019-05-26T17:47:02","guid":{"rendered":"https:\/\/kifarunix.com\/?p=3104"},"modified":"2019-05-29T14:17:13","modified_gmt":"2019-05-29T11:17:13","slug":"create-squid-logs-extractors-on-graylog-server","status":"publish","type":"post","link":"https:\/\/kifarunix.com\/create-squid-logs-extractors-on-graylog-server\/","title":{"rendered":"Create Squid Logs Extractors on Graylog Server"},"content":{"rendered":"\n

In this guide, we are going to go over how to create squid logs extractors<\/a> on Graylog server. If you have pushed your Squid access logs to Graylog server via syslog, chances are they have not been parsed correctly to your liking. Use of Graylog makes it easy to to extract data from any text in the received message to message fields.<\/p>\n\n\n\n

See our previous guides on Graylog Server by following the links below;<\/p>\n\n\n\n

Install Graylog 3.0 on CentOS 7<\/a><\/p>\n\n\n\n

Monitor Squid Access Logs with Graylog Server<\/a><\/p>\n\n\n\n

Create Squid Logs Extractors on Graylog Server<\/h2>\n\n\n\n

Graylog Extractors can extract data using regular expressions, Grok patterns, substrings, or even by splitting the message into tokens by separator characters.<\/p>\n\n\n\n

To create an extractors for a specific input, Navigate to System<\/strong> > Inputs<\/strong> and click on Manage Extractors<\/strong>.<\/p>\n\n\n\n

\"Create<\/a><\/figure>\n\n\n\n

You can also create an extractor for a specific message from Graylog search dashboard by clicking on the message as shown in the screenshot below;<\/p>\n\n\n\n

\"Create<\/a><\/figure>\n\n\n\n

If you launched the extractor from Inputs section, click get started and load the message from the selected input.<\/p>\n\n\n\n

\"Load<\/figure>\n\n\n\n

In this guide, we are going to use Grok pattern to extract fields on Squid access logs, as highlighted above and proceed to create the grok pattern to extract various fields in your message.<\/p>\n\n\n\n

\"Graylog<\/a><\/figure>\n\n\n\n

For example, this is the grok pattern for the message used in this example. You can check sample Grok patterns under System > Grok Patterns<\/strong>.<\/p>\n\n\n\n

%{NUMBER:req_time} %{INT:duration;int} %{IPV4:req_client_address} %{NOTSPACE:squid_request_status}\/%{NUMBER:http_status_code} %{NUMBER:transfer_size} %{NOTSPACE:http_method} (%{URIPROTO:url_scheme}:\/\/)?(?\\S+?)(:%{INT:url_port})?(\/%{NOTSPACE:url_path})?\\s+%{NOTSPACE:client_identity}\\s+%{NOTSPACE:peer_code}\/%{NOTSPACE:peerhost}\\s+%{NOTSPACE:content_type}<\/code><\/pre>\n\n\n\n
A sample squid access log message is;<\/p>\n\n\n\n
1556260467.596 8 192.168.45.27 TCP_MISS\/200 2037 CONNECT 192.168.70.4:443 - HIER_DIRECT\/192.168.70.4 -<\/code><\/pre>\n\n\n\n
You can test your grok pattern by clicking try against your message<\/strong>. If all is well, then you should see your fields extracted.<\/p>\n\n\n\n
\"Graylog<\/a><\/figure>\n\n\n\n
Next, set the title of the extractor and save it.<\/p>\n\n\n\n
\"Save<\/a><\/figure>\n\n\n\n
Click Create extractor<\/strong> to create and save your extractor grok pattern. After that, navigate to the Graylog search dashboard and your suid log messages should now have the correct fields as defined by the extractor.<\/p>\n\n\n\n
\"Graylog<\/a><\/figure>\n\n\n\n
You have successfully created grok patterns to extract squid logs fields on Graylog server. Next, we are going to cover the creation of dashboards to ensure that you get good analytics visualization for your squid logs. See the link below;<\/p>\n\n\n\n
Monitor Squid logs with Grafana and Graylog<\/a><\/p>\n\n\n\n
Reference:<\/p>\n\n\n\n
Graylog Extractors<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
In this guide, we are going to go over how to create squid logs extractors on Graylog server. If you have pushed your Squid access<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"rank_math_lock_modified_date":false,"footnotes":""},"categories":[962,121,72],"tags":[965,963,966],"class_list":["post-3104","post","type-post","status-publish","format-standard","hentry","category-graylog","category-howtos","category-monitoring","tag-extractors","tag-graylog","tag-squid-logs","generate-columns","tablet-grid-50","mobile-grid-100","grid-parent","grid-50"],"_links":{"self":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/3104"}],"collection":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/comments?post=3104"}],"version-history":[{"count":6,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/3104\/revisions"}],"predecessor-version":[{"id":3154,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/3104\/revisions\/3154"}],"wp:attachment":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media?parent=3104"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/categories?post=3104"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/tags?post=3104"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}