disable access.log logging on a specific entrys

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

disable access.log logging on a specific entrys

Verwaiser
Hello,our access.log is filled up to 95% with useless entrys:
192.168.12.84 - - [18/Sep/2017:15:22:40 +0200] "POST
/SpamResolverNG/SpamResolverNG.dll?DoNewRequest HTTP/1.1" 400 3990
TAG_NONE:HIER_NONE
192.168.12.117 - - [18/Sep/2017:15:22:40 +0200] "POST
/SpamResolverNG/SpamResolverNG.dll?DoNewRequest HTTP/1.1" 400 3991
TAG_NONE:HIER_NONE
192.168.12.84 - - [18/Sep/2017:15:22:41 +0200] "POST
/SpamResolverNG/SpamResolverNG.dll?DoNewRequest HTTP/1.1" 400 3990
TAG_NONE:HIER_NONE
192.168.12.118 - - [18/Sep/2017:15:22:41 +0200] "POST
/SpamResolverNG/SpamResolverNG.dll?DoNewRequest HTTP/1.1" 400 3991
TAG_NONE:HIER_NONE
192.168.12.121 - - [18/Sep/2017:15:22:41 +0200] "POST
/SpamResolverNG/SpamResolverNG.dll?DoNewRequest HTTP/1.1" 400 3991
TAG_NONE:HIER_NONE
192.168.13.60 - - [18/Sep/2017:15:22:41 +0200] "POST
/SpamResolverNG/SpamResolverNG.dll?DoNewRequest HTTP/1.1" 400 3990
TAG_NONE:HIER_NONE
192.168.12.89 - - [18/Sep/2017:15:22:41 +0200] "POST
/SpamResolverNG/SpamResolverNG.dll?DoNewRequest HTTP/1.1" 400 3990
TAG_NONE:HIER_NONE
...
I think, the antivirus on several workstations will produce these entrys.
How can I get rid of them?
What I've tried:
1.)acl logNoSpamresolver url_regex -i SpamResolverNG
access_log /var/log/squid/access.log common !logNoSpamresolver

This will not filter the entrys from access.log


2.)
acl logNoSpamresolver url_regex -i http
access_log /var/log/squid/access.log common logNoSpamresolver

Now only urls with "http" will be loggeg, https or other are ignored too


Does anybody know a solution for this problem?

Holger




--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: disable access.log logging on a specific entrys

Amos Jeffries
Administrator
On 19/09/17 01:45, Verwaiser wrote:
>
> Does anybody know a solution for this problem?
>

What Squid version?

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: disable access.log logging on a specific entrys

Amos Jeffries
Administrator
 > -------- Urspr√ľngliche Nachricht --------
 > Von: Amos Jeffries
 >
 > On 19/09/17 01:45, Verwaiser wrote:
 >  >
 >  > Does anybody know a solution for this problem?
 >  >
 >
 > What Squid version?
 >
 > Amos

On 19/09/17 20:56, admin wrote:
 > Sorry, I forgot...
 >
 > Squid version 3.5.21
 >

Please try an upgrade. The latest version works fine for me with the
same config.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: disable access.log logging on a specific entrys

Amos Jeffries
Administrator
On 21/09/17 01:42, Holger Wybranietz wrote:
 > Hello Amos,
 >
 > Yast doesn't show any newer version then 3.5.21 (you meant 3.5.27 is
 > working fine?).
 >

Yes. I tested with 3.5.27, 4.0.21, and latest v5 code. All hide the log
entries when !logNoSpamresolver is used.


 > By the way:
 > The entrys I want to get filtered are similar to:
 >
 > 192.168.12.84 - - [18/Sep/2017:15:22:40 +0200] "POST
 > /SpamResolverNG/SpamResolverNG.dll?DoNewRequest HTTP/1.1" 400 3990
 > TAG_NONE:HIER_NONE
 >
 > I think, that this is not a "normal" url, "/SpamResolverNG/Spa..." seems
 > to be a directory path?

It's called an origin-form URI and is the true form of URLs delivered to
web servers on port 80 and 443.

I suspect there is no Host header delivered by the client to allow Squid
to convert it into an absolute-form URL for proxy consumption. Which
would also explain the 400 status and *_NONE server details.


 > Is there another way to treat this kind of entries?
 >

That depends on your definition of "treat". They are all actual traffic
consuming resources on the proxy, so it is a little odd to hide them
from view. On the other hand you are using a web server log format in a
proxy, which is very lossy anyway.


The config mentioned earlier was correct for what you tried to do. Its
odd that it was not working.

Maybe something wrong with the regex. I'm thinking unicode characters
etc not quite matching what the eyes seem to indicate - in either the
URL itself or the config regex.


It might be a good idea to try and resolve the problem in the client
software if you can;

- if the AV software is configured to use the proxy (including with
auto-config methods, WPAD/PAC etc) then it is a bug to be sending that
URL form to a proxy. The vendor may want to know and fix it since other
customers will be having the same issue and this type of bug is
security vulnerability for AV.

- if you are intercepting the traffic from port 80 or 443 somehow, then
your interception would appear to be broken. Squid should always be able
to determine the ORIGINAL_DST for intercepted traffic and transparently
deliver it there when Host is missing or invalid.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: disable access.log logging on a specific entrys

Eliezer Croitoru
If you trust the software which creates these requests you can bypass the proxy for the ip addresses of this system.
If you do not trust this software then it's better left passed to the proxy.
This URL should have Host header and if not then it's probably something that should be blocked.. or fixed by the vendor of the antispam solution.

All The Bests,
Eliezer

----
Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: [hidden email]



-----Original Message-----
From: squid-users [mailto:[hidden email]] On Behalf Of Amos Jeffries
Sent: Wednesday, September 20, 2017 17:55
To: [hidden email]
Subject: Re: [squid-users] disable access.log logging on a specific entrys

On 21/09/17 01:42, Holger Wybranietz wrote:
 > Hello Amos,
 >
 > Yast doesn't show any newer version then 3.5.21 (you meant 3.5.27 is
 > working fine?).
 >

Yes. I tested with 3.5.27, 4.0.21, and latest v5 code. All hide the log
entries when !logNoSpamresolver is used.


 > By the way:
 > The entrys I want to get filtered are similar to:
 >
 > 192.168.12.84 - - [18/Sep/2017:15:22:40 +0200] "POST
 > /SpamResolverNG/SpamResolverNG.dll?DoNewRequest HTTP/1.1" 400 3990
 > TAG_NONE:HIER_NONE
 >
 > I think, that this is not a "normal" url, "/SpamResolverNG/Spa..." seems
 > to be a directory path?

It's called an origin-form URI and is the true form of URLs delivered to
web servers on port 80 and 443.

I suspect there is no Host header delivered by the client to allow Squid
to convert it into an absolute-form URL for proxy consumption. Which
would also explain the 400 status and *_NONE server details.


 > Is there another way to treat this kind of entries?
 >

That depends on your definition of "treat". They are all actual traffic
consuming resources on the proxy, so it is a little odd to hide them
from view. On the other hand you are using a web server log format in a
proxy, which is very lossy anyway.


The config mentioned earlier was correct for what you tried to do. Its
odd that it was not working.

Maybe something wrong with the regex. I'm thinking unicode characters
etc not quite matching what the eyes seem to indicate - in either the
URL itself or the config regex.


It might be a good idea to try and resolve the problem in the client
software if you can;

- if the AV software is configured to use the proxy (including with
auto-config methods, WPAD/PAC etc) then it is a bug to be sending that
URL form to a proxy. The vendor may want to know and fix it since other
customers will be having the same issue and this type of bug is
security vulnerability for AV.

- if you are intercepting the traffic from port 80 or 443 somehow, then
your interception would appear to be broken. Squid should always be able
to determine the ORIGINAL_DST for intercepted traffic and transparently
deliver it there when Host is missing or invalid.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users