Re: Proxy log analyser

["Jon V" <denessar () gmail com>]

Thank you for the reply Julio and to all of those who replied
privately.  Sarg seems to be a hands-down favorite.  While Sarg is a
great tool it does not do what I want simply because I can already do
it it offers.

I realize that I may have stumbled my words a bit in my first post so
I'll try to clarify a bit.  Most of the info that Sarg generates I can
get using grep, Calamaris & Squint (down to the user-level browsing).

What I was more interested in was a system which could facilitate
(better even automate) going through the logs so that I wouldn't need
to spend hours doing it by hand.

Example of how things are now:  A user is suspected of wasting time.
We get his proxy logs from the rest using regular expressions.  I now
know everywhere he's gone.  I then use calamaris to summarize the
sites by most visited, most downloaded, etc.  I go over these sites by
hand to determine what is work related and what is not (This is the
long part).  I then use squint to see how much time is spent online.

A benefit of doubt is always given to the employee: banners and page
refreshes (i.e google mail constantly refreshing) is grepped out to
not have constant 24/7 traffic.

This is a recursive process and can take a few days depending on the
amount of traffic the user has.  When we get a request for a few
reports at a time we downright freak out.

This is why I was interested in a more automated app that could
intelligently determine policy violations and greatly lessen the
workload.

Thanks again to everybody
Jon

On 8/8/07, Julio Crespo <julio.crespo () aes com> wrote:
> Hi, i use sarg
>
> http://sarg.sourceforge.net/
>
> Its excellent for block pages and see sites for each ip.
> Also see deny and top of download.
> take care with files(hard disk) when generate the report daily.
>
> Regards.
> Julio.
>
>
> -----Mensaje original-----
> De: listbounce () securityfocus com [mailto:listbounce () securityfocus com] En nombre de Jon V
> Enviado el: Miércoles, 08 de Agosto de 2007 14:27
> Para: security-basics () securityfocus com
> Asunto: Proxy log analyser
>
> The company I work for uses squid as a proxy server to restrict
> outbound http web access.  We use calamaris and squint to get an
> overall view of browsing (mostly statistical data) and squidguard for
> basic policy enforcement (blacklist porn sites and such) however most
> proxy log auditing is unfortunately done by hand when needed.
>
> I was wondering if someone knew of a product that could be used that
> would help with the policy enforcement as well as automate more of the
> analysis of user logs since these take an enormous amount of time to
> go through by hand.
>
> Most open source apps that I've seen are mostly for summary
> statistical data and don't seem to quite have what I want.  The
> closest thing that I've seen so far is Cyfin Reporter by Wavecrest
> computing.
>
> Thanks four your time
>
> ________________________________________________________________________
> This email has been scanned for all viruses by the MessageLabs service.
>
>
>
> ________________________________________________________________________
> This communication is for use by the intended recipient and contains information that may be privileged, confidential 
> or copyrighted under law. If you are not the intended recipient, you are hereby formally notified that any use, 
> copying or distribution of this e-Mail, in whole or in part, is strictly prohibited. Please notify the sender by 
> return e-Mail and delete this e-Mail from your system. Unless explicitly and conspicuously stated in the subject 
> matter of the above e-Mail, this e-Mail does not constitute a contract offer, a contract amendment, or an acceptance 
> of a contract offer. This e-Mail does not constitute consent to the use of sender's contact information for direct 
> marketing purposes or for transfers of data to third parties.
>
> This email has been scanned for all viruses by the MessageLabs service.