Raw Cisco WSA squid event:
1533849492.277 0 192.168.1.11 TCP_DENIED/307 0 GET http://detectportal.firefox.com/success.txt - NONE/- - OTHER-NONE-AuthenticatedUsers-NONE-NONE-NONE-NONE <-,-,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,-,-,"-","-","-","-","-","-",0.00,0,-,"-","-",-,"-",-,-,"-","-",-,-,"-"> -
props.conf
[cisco:wsa:squid]
TRANSFORMS-null = tcpdenied307-firefox
transforms.conf
[tcpdenied307-firefox]
REGEX = .+(TCP_DENIED).+(307).+(detectportal.firefox.com).+
DEST_KEY = queue
FORMAT = nullQueue
Any ideas why my REGEX doesn't work?
Hi there,
the regex works fine. Here are a few things to check:
TRANSFORMS-nullQueue-tcpdenied307-firefox = tcpdenied307-firefox
just to make sure the <class>
is uniq.cheers, MuS
Hi,
Thanks.
@moey check file permissions on props.conf and transforms.conf. It should be read only. You can compare file permission with other similar configurations.