Accenture MDR Quick Start Guide for Squid Web Proxy (TCP)
This quick start guide will help Accenture MDR customers configure Squid Web Proxy to send logs to the Log collection Platform (LCP).
The guide details the standard configuration processes for the NxLog agent to send Squid Web Proxy logs over TCP to the LCP.
The document includes the following topics:
Supported Versions
A list of supported versions is available in the Accenture Security Supported Products List document (Accenture_MDR_Supported_Products_List.xlsx) which can be found in Accenture MDR Portal - https://mss.accenture.com/PortalNextGen/Reports/Documents
Port Requirements
Table 1-1: Port requirements for LCP communication.
Source | Destination | Port | Description |
Squid Web Proxy | LCP | 10013 (TCP) 10014 (TCP)Ā | Default port |
Configuring Squid Web Proxy
To configure the Squid Web Proxy Cache, follow the steps below.
I. Edit the squid.conf file.
Cache requires access to logs written in the httpd common log format. By default, this format is enabled. If this format is not enabled, you must edit the squid.conf file.
Ā To edit the squid.conf file, follow the steps below.
Log in to the Squid Web Proxy Cache computer.
Based on the operating system used, navigate to the following directory
For UNIX: /etc/squid/
For Windows: \Squid\etc\squid\
Use a text editor, such as vi on UNIX or Notepad on Windows, to edit the squid.conf file.
Define Log format by adding the following commands at the end of theĀ squid.conf configuration file.
To generate logs in native format, add any one of the following lines.
Native log file format with header:
Code Block
logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %un %Sh/%<A %mt [%>h] [%<h]
Ā
Native log file format without header:
Code Block
logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %un %Sh/%<A %mt
Ā
To generate logs in httpd log format, add following line.
Httpd log file format with header:
Code Block
logformat squid %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st %Ss:%Sh [%>h] [%<h]
Ā
After defining log format, kindly append the following configuration line below that.Ā
For Unix -
Code Block
Ā
For Windows -
Code Block
Ā
Save and close the squid.conf file.
II. Initialize the cache.
To initialize the cache, follow the steps below.
1. Login to the Squid Web Proxy Cache server.
2. At a command prompt, type the command: squid -z
Log configuration via NXLog Agent for Squid server.
For now we are supporting nxlog agent. In future we will be supporting the logstash and other log forwarding agents.
Click any one of the below options according to the Squid server OS and versions.
Log Configuration viaĀ NXLog Agent for Squid server CentOS 6
Log Configuration via NxLog AgentĀ for Squid server CentOS 7
Log Configuration via NxLog AgentĀ forĀ Windows Squid server
Log Configuration viaĀ NXLog Agent for Squid server - Ubuntu v20.04
Log Configuration viaĀ NXLog Agent for Squid server - CentOS 6
(i) Non TLS TCP log flow on port 10013
Download and Install NxLog agent from locationĀ https://nxlog.co/products/nxlog-community-edition/download Ā (There are few dependencies that you need to install and then you can install nxlog on machine.)
2. For Linux Agent , After installation go to installed location ā/etc/nxlog.confā. Rename attachedĀ SQUID_CENTOS_6Ā Ā Ā to "nxlog.conf" and copy into this folder
3. Replace ālcpIpā with actual LCP IP in nxlog.conf
4. Change access.log file location on line 24.
5. Now start the nxlog service using below command
Ā Ā service nxlog start
6. NxLog agent logs will be available at location "/var/log/nxlog.log"
Ā
ā(ii)Ā TLS TCP log flow on port 10014Ā
Download and Install NxLog agent from location https://nxlog.co/products/nxlog-community-edition/download.
Ā Note: Please contact the Accenture Security MDR onboarding team to obtain the certificate.
2. Place the certificate in the squid server which is obtained from the MDR onboarding team at your desired location.
3. Go to installed nxlog location ā/etc/nxlog.confā. Rename the attached "SQUID_CENTOS_6(TLS).conf"Ā file to "nxlog.conf" and copy into this folder.
4. Replace ālcpIpā with actual LCP IP address in nxlog.conf.
5. Change access.log file location against "File".
6. Provide the certificate path against "CAFile" in theĀ "nxlog.conf".
Ā Note: Please specify the complete path with the file name.Ā
Example:Ā \tmp\cert.pem
Ā 7. Now start the nxlog service using below command
Ā service nxlog start
8. NxLog agent logs will be available at location "/var/log/nxlog.log"
9. Log flow should work and you can check on tcpdump using command "tcpdump āAA port 10014"
Ā
Steps to configure on Squid Server to create replica of log file and maintain it - CentOS 6
1.Connect to Squid Server using SSH as a root user
2. Add below configuration in /etc/logrotate.d/squid
/tmp/*.log {
Ā Ā Ā Ā Ā Ā Ā daily
Ā Ā Ā Ā Ā Ā Ā compress
Ā Ā Ā Ā Ā Ā Ā delaycompress
Ā Ā Ā Ā Ā Ā Ā rotate 5
Ā Ā Ā Ā Ā Ā Ā missingok
Ā Ā Ā Ā Ā Ā Ā nocreate
Ā Ā Ā Ā Ā Ā Ā sharedscripts
Ā Ā Ā Ā Ā Ā Ā postrotate
Ā Ā Ā Ā Ā Ā Ā test ! -e /var/run/squid.pid || test ! -x /usr/sbin/squid || /usr/sbin/squid -k rotate 2>/dev/null
Ā Ā Ā Ā Ā Ā Ā chown root:root /tmp/access.log
Ā Ā Ā Ā Ā Ā Ā chmod 777 /tmp/access.log
Ā Ā Ā Ā Ā Ā Ā service nxlog restart
Ā Ā Ā Ā Ā Ā Ā endscript
}
3. Also need to add following log location configuration in /etc/squid/squid.conf
access_log /tmp/access.log squid
4. service squid restart
Ā
Log Configuration viaĀ NXLog Agent for Squid server - CentOS 7
(i) Non TLS TCP log flow on port 10013
Download and Install NxLog agent from location https://nxlog.co/products/nxlog-community-edition/download.
Go to installed Nxlog location ā/etc/nxlog.confā. Rename the attached "SQUID_CENTOS_7" file to "nxlog.conf" and copy into this folder.
3. Replace ālcpIpā with actual LCP IP address in nxlog.conf.Ā
4. Change access.log file location against "File".
5. Now start the nxlog service using below command
Ā Ā systemctl start nxlog
6. NxLog agent logs will be available at location "/var/log/nxlog.log"
āā(ii)Ā TLS TCP log flow on port 10014Ā
Download and Install NxLog agent from location https://nxlog.co/products/nxlog-community-edition/download.
Ā Note:Ā Please contact the Accenture Security MDR onboarding team to obtain the certificate.
Ā 2. Place the certificate in the squid server which is obtained from the MDR onboarding teamĀ at your desired location.
3. Go to installed location ā/etc/nxlog.confā. Rename the attached SQUID_CENTOS_7(TLS).conf file to "nxlog.conf" and copy into this folder
4. Replace ālcpIpā with actual LCP IP address in nxlog.conf .Ā
5. Change access.log file location against "File".
6. Provide the certificate path against "CAFile"Ā in theĀ "nxlog.conf".
Ā Note: Please specify the complete path with the file name.Ā
Example:Ā \tmp\cert.pem
Ā 7. Now start the nxlog service using below command
Ā Ā systemctl start nxlog
8. NxLog agent logs will be available at location "/var/log/nxlog.log"
Ā
Steps to configure on Squid Server to create replica of log file and maintain it - CentOS 7
1.Connect to Squid Server using SSH as a root user
2.Add below configuration in /etc/logrotate.d/squid
/tmp/*.log {
Ā Ā Ā Ā Ā Ā Ā su root root
Ā Ā Ā Ā Ā Ā Ā daily
Ā compress
Ā Ā Ā Ā Ā Ā Ā delaycompress
test ! -e /var/run/squid.pid || test ! -x /usr/sbin/squid || /usr/sbin/squid -k rotate 2>/dev/null
Ā Ā Ā Ā Ā Ā Ā chown root:root /tmp/access.log
Ā Ā Ā Ā Ā Ā Ā chmod 777 /tmp/access.log
Ā Ā Ā Ā Ā Ā Ā systemctl restart nxlog
Ā Ā Ā Ā Ā Ā Ā endscript
}
3.Also need to add following log location configuration in /etc/squid/squid.conf
access_log /tmp/access.log squid
4.systemctl restart squid
Ā
Log Configuration via NxLog AgentĀ forĀ Windows Squid server
(i) Non TLS TCP log flow on port 10013
Download and Install NxLog agent from location https://nxlog.co/products/nxlog-community-edition/download
Go to services.msc and stop the nxlog service.
Go to "C:\Program Files (x86)\nxlog\data" and delete "configcache.dat".
Go to installed location āC:\Program Files (x86)\nxlog\confā and rename the attachedĀ "SQUID_WIN.conf" fileĀ to "nxlog.conf" and copy into this folder.
5. Replace āLCP_IP_Addressā with actual LCP IP address in nxlog.conf.
6. Squid Log location needs to be mentioned on line 31 against "File".
7. Now start the nxlog service from services.msc.
8. NxLog agent logs will be available at location "C:\Program Files (x86)\nxlog\data\nxlog.log".
āā(ii)Ā TLS TCP log flow on port 10014Ā
Download and Install NxLog agent from location https://nxlog.co/products/nxlog-community-edition/download
Go to services.msc and stop the nxlog service.
Ā Note:Ā Please contact the Accenture Security MDR onboarding team to obtain the certificate.
Ā 3. Place the certificate in the squid server which is obtained from the MDR onboarding teamĀ at your desired location.
4. Go to folder "C:\Program Files (x86)\nxlog\data" and delete "configcache.dat".
5. Go to installed location āC:\Program Files (x86)\nxlog\confā and rename the attached "SQUID_WIN(TLS).conf" fileĀ to "nxlog.conf" and copy into this folder.
6. Replace āLCP_IP_Addressā with actual LCP IP address in nxlog.conf.Ā Refer theĀ Figure1-1.
7. Squid LOG location needs to be mentioned on line 31 against "File".
8. Provide the certificate path against "CAFile"Ā in theĀ "nxlog.conf".
Ā Note:Ā Please specify the complete path of Squid log and the certificate with the file name
Example -Squid LOG locationĀ Ā : C:\\Squid\\var\\log\squid\\access.log
Example- Certificate location :Ā C:\Program Files (x86)\nxlog\cert\cert.pem
Now start the nxlog service from services.msc.
NxLog agent logs will be available at location "C:\Program Files (x86)\nxlog\data\nxlog.log".
Ā
Log Configuration viaĀ NXLog Agent for Squid server - Ubuntu v20.04
(i) Non TLS TCP log flow on port 10013
Download and Install NxLog agent from locationĀ https://nxlog.co/products/nxlog-community-edition/download Ā (There are few dependencies that you need to install and then you can install nxlog on machine.)
2. For Linux Agent , After installation go to installed location ā/etc/nxlog.confā. Rename attachedĀ āSQUID_UBUNTU_20.04ā to "nxlog.conf" and copy into this folder.
3. Replace ālcpIpā with actual LCP IP in nxlog.conf
4. Change access.log file location on line 24 such as ā/var/log/squid/access.logā
5. Allow nxlog service to access squid access.log file.
Code Block |
---|
6. Now start the nxlog service using below command
Ā Ā systemctl start nxlog
7. NxLog agent logs will be available at location "/var/log/nxlog/nxlog.log"
8. Restart Squid Service by following the below command.Ā
Code Block |
---|
ā(ii)Ā TLS TCP log flow on port 10014Ā
Download and Install NxLog agent from location https://nxlog.co/products/nxlog-community-edition/download .
Ā Note: Please contact the Accenture Security MDR onboarding team to obtain the certificate.
2. Place the certificate in the squid server which is obtained from the MDR onboarding team at your desired location.
3. For Linux Agent, Go to installed nxlog location ā/etc/nxlog.confā. Rename the attached āSQUID_UBUNTU_20.04(TLS)āĀ file to "nxlog.conf" and copy into this folder.
4. Replace ālcpIpā with actual LCP IP address in nxlog.conf.
5. Change access.log file location against "File" such as ā/var/log/squid/access.logā
6. Provide the certificate path against "CAFile" in theĀ "nxlog.conf".
Ā Note: Please specify the complete path with the file name.Ā
Example:Ā \tmp\cert.pem
7. Allow nxlog service to access squid access.log file.
Code Block |
---|
8. Now start the nxlog service using below command
Ā Ā systemctl start nxlog
9. NxLog agent logs will be available at location "/var/log/nxlog/nxlog.log"
10. Restart Squid Service by following the below command.Ā
Code Block
Ā
LCP Configuration Parameters
Table 1-2: The Squid Web Proxy TCP event collector (Syslog - 3877)properties to be configured by MDR are in table
Property | Default Value | Description |
Protocol | TCP | The default protocol for syslog. |
IP Address | Squid Web Proxy interface IP address | Logging device IP address mentioned in the Pre-Installation Questionnaire (PIQ). Note: If the device sends logs using multiple interfaces, contact the Accenture Security MDR onboarding team. |
Port Number | Ā TCP/10013Ā Ā TCP/10014 | The default port number for syslog.Ā Note: The LCP can be configured to listen on a non-standard port, please advise the Accenture Security MDR onboarding team if this is a requirement. |
Ā
Legal Notice
Copyright Ā© 2021 Accenture. All rights reserved.
Accenture, the Accenture Logo, and DeepSight Intelligence are trademarks or registered trademarks of Accenture in the U.S. and other countries. Other names may be trademarks of their respective owners.
The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Accenture and its licensors, if any.
THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. ACCENTURE SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.
The Licensed Software and Documentation are deemed to be commercial computer software as defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19 "Commercial Computer Software - Restricted Rights" and DFARS 227.7202, et seq. "Commercial Computer Software and Commercial Computer Software Documentation," as applicable, and any successor regulations, whether delivered by Accenture as on premises or hosted services. Any use, modification, reproduction release, performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government shall be solely in accordance with the terms of this Agreement.