Squid Proxy

Our Integration guide was accurate at the time of writing but vendors change things frequently! If you find errors or anything is outdated, let us know by submitting a ticket in the Samurai MDR application and we shall get it updated.

ProductSamurai [Local] CollectorSamurai [Cloud] Collector
Squid Proxy Servershield.svg

This guide describes the steps required to configure Squid Proxy Server to send logs to a Samurai Local Collector deployed on your network. Your Squid Proxy device(s) require access to the Local Collector via syslog on port 514/UDP.

To complete this Integration you will need to:

1) From your Squid Proxy Server

Configure Log Format

Complete these steps to configure the Squid log format.

  1. Log into the Squid Server edit the squid.conf file

highlight.png The default location for this file is /etc/squid/squid.conf

  1. Add the following to the end of the file:
logformat squid-ntt timestamp="%{%Y-%m-%dT%H:%M:%SZ}tg" vendor="Squid" src="%>A" url="%ru" src_ip=%>a status=%>Hs http_user_agent="%{User-Agent}>h" http_method=%>rm http_content_type=%mt bytes_in=%<st bytes_out=%>st user=%un http_referer="%{Referer}>h" uri_path="%>rp" url_port=%<rP uri_scheme=%>rs duration=%<tt dest_port=%>rP src_port=%>p dest_host="%<A" dest_ip=%<a proxy_ip=%>la proxy_dest_port=%>lp proxy_src_port=%<lp vendor_squid_status=%Ss

access_log syslog:local4.info logformat=squid-ntt

  1. Save and close the file.

  2. Restart the Squid Proxy service.

Configure Syslog

  1. Edit the syslog.conf file

  2. Add the following to the end of the configuration file, replace [Samurai Local Collector IP address) with the IP address of the Samurai Local Collector deployed on your network:

# Logging for NTT Local Collector 
local4.info @@[Samurai Local Collector IP address]

  1. Save and close the file.

  2. Restart the syslogd service

For integrations that utilize a Local Collector where we ingest syslog only, you do not need to follow specific steps in the Samurai MDR Application as we auto detect the vendor and product. The only reason you need to use the Samurai MDR Application is if you need to determine the Local Collector IP address. Of course you will still need to ensure the integration is functioning! See Integrations for more information on checking status.