Getting Data In

How to configure Spunk to log IP information from Squid proxy servers?

gijoesplunk
New Member

Hi everyone, I want to ask about Splunk and Squid proxy server
i have 3 proxies, let say:

IP Proxy1: 192.168.1.10
IP Proxy2: 192.168.2.10
IP Proxy3: 192.168.3.10

I searched the log using: index=squid sourcetype=squid:access and i have results, but it's difficult to determine which results belong to Squid log for proxy1, proxy2, and proxy3.

Is it the Splunk app that is installed on Squid proxy server not logging IP information of the Squid proxy server? Or did i misconfigured the app on the Squid proxy server so the IP server of the proxy not show up?

0 Karma

rodrigorsilva
Communicator

Hi gijoesplunk,

You should take a look this link:

https://docs.splunk.com/Documentation/Splunk/6.5.0/Admin/Inputsconf

Specifically in the section:

host = <string>
* Sets the host key/field to a static value for this stanza.
* Primarily used to control the host field, which the input applies to events
  that come in through this input stanza.
* Detail: Sets the host key initial value. The input uses this key during
  parsing/indexing, in particular to set the host field. It also uses this
  field at search time.
* As a convenience, the input prepends the chosen string with 'host::'.
* WARNING: Do not put the <string> value in quotes. Use host=foo, not host="foo".
* If set to '$decideOnStartup', will be interpreted as hostname of executing
  machine; this will occur on each splunkd startup.
* If you run multiple instances of the software on the same system (hardware
  or virtual machine), choose unique values for 'host' to differentiate
  your data, e.g. myhost-sh-1 or myhost-idx-2.
* The literal default conf value is $decideOnStartup, but at installation
  time, the setup logic adds the local hostname as determined by DNS to the
  $SPLUNK_HOME/etc/system/local/inputs.conf default stanza, which is the
  effective default value.

I hope I have helped.

Rodrigo Ribeiro

0 Karma

gijoesplunk
New Member

Hi Rodrigo,
Thank's for the answer, i have re-check the search result, and yes i have found in host field.

Now that make me confuse, from 3 proxy server only 1 proxy server parsing the squid log to the indexer.
I don't know why the other 2 not parsing the squid log to the indexer.
What should i check both from the indexer server and also from squid proxy server?

0 Karma

miteshp250283
Path Finder

Did you copy the inputs.conf file from Proxy1 to the other two systems?

If so, change the host = Proxy1 stanza on the other 2 systems with their respective hostnames and restart Splunk/UF service.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...