On Thu, 31 May 2001, Fred Kamwaza wrote:
> Hi,
>
> I was toiling with the idea of logging all users in order to get statistics
> on where they are going on the net and how long the are using the system,
> etc. I was then introduced to 'SARG' which is doing exactly what I wanted.
> Thanks to Bruno Guerreiro who gave me a push in the right direction.
>
> My problem now it that I have noticed that not all activities are logged
> in 'access.log'. This includes ftp downloads/uploads, telnet sessions
> etc. In particular, some users on my local area network are NOT logged.
>
> Now I have two questions:
>
> 1. How do I force everyone (every PC) on the LAN to use the proxy server? I
> need to log all activities on the LAN.
you can't really force local traffic (on the subnet) through the cache
box. the users can simply configure their clients around that (it's a
policy) issue not a technical one...
> 2. How do I force all requests, eg ftp, telnet, http, etc. to get logged?
squid won't be handling any of those services (except proxy ftp) so it
won't be logging them... What you really need is a fast ethernet switch to
set in your core that can span all the traffic to a single port, where you
can examine the contents of the traffic at your leisure... if you want to
examine only outbound traffic something like cisco netflow (or your vendor
equivalent) on your border router can log all the flows (but not their
contents)...
Ultimately if your users prefer not to spied on they'll just tunnel and
encrypt their traffic, at which point you're back where you started.
> Fred.
> -----------------------------------------------------------
> > If you need any help...
> >
> > -----Original Message-----
> > From: Fred Kamwaza [mailto:fred@sdnp.org.mw]
> > Sent: terça-feira, 29 de Maio de 2001 15:40
> > To: bruno.guerreiro@ine.pt
> > Cc: squid-users@squid-cache.org
> > Subject: RE: [squid-users] Help! Can squid authentication log user
> > activit
> >
> >
> > I just want to say thank you very much for the information. I have
> > been to the site and I have downloaded 'Sarg'. I will be testing it
> > right away.
> >
> >> Hi,
> >> I think that SARG may do the trick for you:
> >> http://web.onda.com.br/orso/index.html
> >> It doesn't authenticate users, it just analyzes Squid logs.
> >> This page also has some sample reports, so you can see if it meets
> >> your needs.
> >>
> >> Regards,
> >>
> >> Bruno Guerreiro.
> >>
> >> -----Original Message-----
> >> From: Fred Kamwaza [mailto:fred@sdnp.org.mw]
> >> Sent: sábado, 26 de Maio de 2001 12:47
> >> To: hno@hem.passagen.se
> >> Cc: squid-users@squid-cache.org
> >> Subject: [squid-users] Help! Can squid authentication log user
> >> activities?
> >>
> >>
> >> Dear Henrik,
> >>
> >> Thanks very much indeed for your invaluable assistance. I very much
> >> appreciate your guidance. I have taken note of all tips.
> >>
> >> I am, however, in a difficult situation. I operate a LAN with a very
> >> large number of users but our bandwidth is small. The user share
> >> machines. What I would really like to do is allow access only to
> >> those registered. When they login, the system should then take logs
> >> of who ever is logging on to the system, going on to the Internet. I
> >> would like to capture the following information, 'Username', 'IP of
> >> machine logged from', 'Time logged in', 'Time logged out' and if
> >> possible amount of data transfered in bytes.
> >>
> >> I was of the opinion that the squid authentication would help me do
> >> that. If this is not possible using squid, would you know of anyway
> >> I can do this?
> >>
> >> I am running my system with RedHat 6.2 as a server, on a LAN, with
> >> Windows 98 machines as clients.
> >>
> >>> pam_auth is not really intended for setups requiring authentication
> >>> to /etc/shadow, but where you do have a PAM module for connecting to
> >>> the user directory in question, but no Squid auth module. /etc/shadow
> >>> is one such case, but not a very interesting one from a functionality
> >>> perspective.
> >>>
> >>> As the author of Squid pam_auth I can only agree that there are
> >>> concerns about running pam_auth setuserid root for authentication to
> >>> /etc/shadow. The brute-force attack issue is a real one, and there
> >>> always is the risk of buffer overflows in SUID applications even if
> >>> the pam_auth code is beleived to be reasonably secure in this respec
> >>> (but there may well be aspects I have overlooked).
> >>>
> >>> --
> >>> Henrik Nordstrom
> >>> Squid Hacker
> >>>
> >>> Lim Seng Chor wrote:
> >>>
> >>>> i personally feel pam_auth is a dangerous program to run if you are
> >>>> running a multi-user system. unless you are running a dedicated-
> >>>> cache system, or else pam_auth might get yourself into trouble. this
> >>>> may allow users to do brute-force attack on password
> >>>> guessing or password sniffing on the port pam_auth listenning. and
> >>>> unknown setuid buffer overflow for pam_auth if exists. do this at
> >>>> your own risk. good luck!!
> >>
> >
> --
> Fred Kamwaza
> University of Malawi
> The Polytechnic
> P/B 303, Chichiri, Blantyre 3
> -------------------------------------
> Tel: (265) 670 411 (o); (265) 842 891 (m)
> Fax: (265) 670 578
> email: fred@sdnp.org.mw
> URL: http://poly.sdnp.org.mw
>
>
--
--------------------------------------------------------------------------
Joel Jaeggli joelja@darkwing.uoregon.edu
Academic User Services consult@gladstone.uoregon.edu
PGP Key Fingerprint: 1DE9 8FCA 51FB 4195 B42A 9C32 A30D 121E
--------------------------------------------------------------------------
It is clear that the arm of criticism cannot replace the criticism of
arms. Karl Marx -- Introduction to the critique of Hegel's Philosophy of
the right, 1843.
Received on Thu May 31 2001 - 11:22:54 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:00:22 MST