Answer the question
In order to leave comments, you need to log in
D
D
den_scs2017-11-13 13:40:23
den_scs, 2017-11-13 13:40:23
Squid3 bind AD user to ip when parsing access.log?
Good afternoon!
Squid writes in access.log on http request:
192.168.0.83 TCP_DENIED/403 3928 GET detectportal.firefox.com/success.txt [email protected] HIER_NONE/- text/html
On request via https:
192.168.0.83 TCP_TUNNEL/ 200 680 CONNECT rs.mail.ru:443 - FIRSTUP_PARENT/192.168.0.3 - It is
necessary to count the traffic by the name of the domain user, in order to read the traffic inside the tunnel, you need to replace the certificate, I don't think this is a good idea. I know that ideco binds the username to the ip address during the first authorization.
#######How to make the log analyzer understand ip and active directory account name as a "single entity".
The analyzer I use is squidanalyzer.
UPD
Parsed ssl connection via ssl_dump:
192.168.0.114 TCP_MISS/200 622 GET https://portal.mail.ru/NaviData? - HIER_DIRECT/94.100.180.59 application/json
But the desired result was not achieved. As before, there is a dash after the url, I expected it to be like this:
192.168.0.114 TCP_MISS/304 322 GET mail.ru/templates/protostar/js/template.js [email protected] HIER_DIRECT/94.100.180.59
2 answer(s)
@CityCat4
C
CityCat4, 2017-11-13 @CityCat4
Probably we should start with which log analyzer to use, because squid itself does not calculate logs.
PS: The sense in such a calculation will be exactly zero. Without bumping, a certain "external" address will be visible, to which all traffic will be counted, which is, of course, not the case. That is - here I go to mail.ru. An https session has been formed, I switch from the main mail.ru to "Dating" and there I calmly frame my girls during working hours. The log analyzer without bumping will see mail.ru in all cases. The log analyzer with bumping will see all internal moves.
Similar questions
R
T
C
P
M
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question