Re: [squid-users] External IP in access.log

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Thu, 02 Aug 2012 11:28:29 +1200

On 02.08.2012 09:37, Usuário do Sistema wrote:
> Hello, I have been asked what are external ip address in the sarg
> reports.
>
> so I had done a search in access.logs and I found follow access among
> others.
>
> 795035 112.215.36.175 TCP_MISS/200 96944 GET
> http://ads.xlxtra.com%2Ferrors%2F%3Ftype=40
> 4_at_efreephoto.com/pictures/9612330624e58d492b8555.jpg -
> DIRECT/74.204.173.205 image/jpeg
>
> please, released there are two external ip address at the initial
> 112.215.36.175 and at the end 74.204.173.205.
>
> when I run a sarg report that access it appear like the most used! it
> is very strange why it doesn't show a internal ip address instead ?

One would assume you know the Squid machine IP address(es) without
needing them logged on every request. If you have a multi-IP box where
that is also needed, you can use a custom log format to display the IP
at Squids end of each TCP connections.
   http://www.squid-cache.org/Doc/config/logformat/

>
> what is this external access ?

http://wiki.squid-cache.org/Features/LogFormat

The one on the right (next to DIRECT/) is the IP of the server
providing the response. Every MISS or REFRESH will have a server where
the upstream data came from.

The one on left (next to TCP_MISS) is the IP of the client making the
request. One would expect you to know who your users are and where they
are located. If that IP is known not to be a legit customer/client of
your Squid something is wrong with your security access controls.

Amos
Received on Wed Aug 01 2012 - 23:28:39 MDT

This archive was generated by hypermail 2.2.0 : Thu Aug 02 2012 - 12:00:02 MDT