Accenture MDR Quick Start Guide for Squid Web Proxy (TCP)

This quick start guide will help Accenture MDR customers configure Squid Web Proxy to send logs to the Log collection Platform (LCP).

The guide details the standard configuration processes for the NxLog agent to send Squid Web Proxy logs over TCP to the LCP.

The document includes the following topics:

Supported Versions

A list of supported versions is available in the Accenture Security Supported Products List document (Accenture_MDR_Supported_Products_List.xlsx) which can be found in Accenture MDR Portal - https://mss.accenture.com/PortalNextGen/Reports/Documents

Port Requirements

Table 1-1: Port requirements for LCP communication.

Configuring Squid Web Proxy

To configure the Squid Web Proxy Cache, follow the steps below.

I. Edit the squid.conf file.

Cache requires access to logs written in the httpd common log format. By default, this format is enabled. If this format is not enabled, you must edit the squid.conf file.

 To edit the squid.conf file, follow the steps below.

1. Log in to the Squid Web Proxy Cache computer.

2. Based on the operating system used, navigate to the following directory

   1. For UNIX: /etc/squid/

      For Windows: \Squid\etc\squid\

3. Use a text editor, such as vi on UNIX or Notepad on Windows, to edit the squid.conf file.

4. Define Log format by adding the following commands at the end of the squid.conf configuration file.

   1. To generate logs in native format, add any one of the following lines.

      1. Native log file format with header:

         Code Block

         logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %un %Sh/%<A %mt [%>h] [%<h]

          

      2. Native log file format without header:

         Code Block

         logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %un %Sh/%<A %mt

          

   2. To generate logs in httpd log format, add following line.
      
      

      1. Httpd log file format with header:

         Code Block

         logformat squid %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st %Ss:%Sh [%>h] [%<h]

          

5. After defining log format, kindly append the following configuration line below that. 

   1. For Unix -

      Code Block

       

   2. For Windows -

      Code Block

       

6. Save and close the squid.conf file.

II. Initialize the cache.

To initialize the cache, follow the steps below.

1. Login to the Squid Web Proxy Cache server.

2. At a command prompt, type the command: squid -z

Log configuration via NXLog Agent for Squid server.

For now we are supporting nxlog agent. In future we will be supporting the logstash and other log forwarding agents.

Click any one of the below options according to the Squid server OS and versions.

• Log Configuration via NXLog Agent for Squid server CentOS 6

• Log Configuration via NxLog Agent for Squid server CentOS 7

• Log Configuration via NxLog Agent for Windows Squid server

• Log Configuration via NXLog Agent for Squid server - Ubuntu v20.04

• Click for NON-TLS TCP setup

• Click for TLS TCP setup

1. Download and Install NxLog agent from location https://nxlog.co/products/nxlog-community-edition/download  (There are few dependencies that you need to install and then you can install nxlog on machine.)

2. For Linux Agent , After installation go to installed location “/etc/nxlog.conf”. Rename attached SQUID_CENTOS_6   to "nxlog.conf" and copy into this folder

Open

3. Replace “lcpIp” with actual LCP IP in nxlog.conf

Open

4. Change access.log file location on line 24.

Open

5. Now start the nxlog service using below command

6. NxLog agent logs will be available at location "/var/log/nxlog.log"

​

1. Download and Install NxLog agent from location https://nxlog.co/products/nxlog-community-edition/download.

 Note: Please contact the Accenture Security MDR onboarding team to obtain the certificate.

2. Place the certificate in the squid server which is obtained from the MDR onboarding team at your desired location.

3. Go to installed nxlog location “/etc/nxlog.conf”. Rename the attached "SQUID_CENTOS_6(TLS).conf" file to "nxlog.conf" and copy into this folder.

Open

4. Replace “lcpIp” with actual LCP IP address in nxlog.conf.

5. Change access.log file location against "File".

6. Provide the certificate path against "CAFile" in the "nxlog.conf".

 Note: Please specify the complete path with the file name. 

Example: \tmp\cert.pem

 7. Now start the nxlog service using below command

8. NxLog agent logs will be available at location "/var/log/nxlog.log"

9. Log flow should work and you can check on tcpdump using command "tcpdump –AA port 10014"

Steps to configure on Squid Server to create replica of log file and maintain it - CentOS 6

1.Connect to Squid Server using SSH as a root user

2. Add below configuration in /etc/logrotate.d/squid

/tmp/*.log {

        daily

        compress

        delaycompress

        rotate 5

        missingok

        nocreate

        sharedscripts

        postrotate

       test ! -e /var/run/squid.pid || test ! -x /usr/sbin/squid || /usr/sbin/squid -k rotate 2>/dev/null

        chown root:root /tmp/access.log

        chmod 777 /tmp/access.log

        service nxlog restart

        endscript

}

3. Also need to add following log location configuration in /etc/squid/squid.conf

access_log /tmp/access.log squid

4. service squid restart

• Click for Non-TLS TCP setup

• Click for TLS TCP setup

1. Download and Install NxLog agent from location https://nxlog.co/products/nxlog-community-edition/download.

2. Go to installed Nxlog location “/etc/nxlog.conf”. Rename the attached "SQUID_CENTOS_7" file to "nxlog.conf" and copy into this folder.

Open

3. Replace “lcpIp” with actual LCP IP address in nxlog.conf. 

4. Change access.log file location against "File".

5. Now start the nxlog service using below command

6. NxLog agent logs will be available at location "/var/log/nxlog.log"

1. Download and Install NxLog agent from location https://nxlog.co/products/nxlog-community-edition/download.

 Note: Please contact the Accenture Security MDR onboarding team to obtain the certificate.

  2. Place the certificate in the squid server which is obtained from the MDR onboarding team at your desired location.

3. Go to installed location “/etc/nxlog.conf”. Rename the attached SQUID_CENTOS_7(TLS).conf file to "nxlog.conf" and copy into this folder

Open

4. Replace “lcpIp” with actual LCP IP address in nxlog.conf . 

5. Change access.log file location against "File".

6. Provide the certificate path against "CAFile" in the "nxlog.conf".

 Note: Please specify the complete path with the file name. 

Example: \tmp\cert.pem

 7. Now start the nxlog service using below command

8. NxLog agent logs will be available at location "/var/log/nxlog.log"

Steps to configure on Squid Server to create replica of log file and maintain it - CentOS 7

1.Connect to Squid Server using SSH as a root user

2.Add below configuration in /etc/logrotate.d/squid

/tmp/*.log {

        su root root

        daily

        delaycompress

test ! -e /var/run/squid.pid || test ! -x /usr/sbin/squid || /usr/sbin/squid -k rotate 2>/dev/null

        chown root:root /tmp/access.log

        chmod 777 /tmp/access.log

        systemctl restart nxlog

        endscript

}

3.Also need to add following log location configuration in /etc/squid/squid.conf

access_log /tmp/access.log squid

4.systemctl restart squid

• Click for Non-TLS TCP setup

• Click for TLS TCP setup

1. Download and Install NxLog agent from location https://nxlog.co/products/nxlog-community-edition/download

2. Go to services.msc and stop the nxlog service.

3. Go to "C:\Program Files (x86)\nxlog\data" and delete "configcache.dat".

4. Go to installed location “C:\Program Files (x86)\nxlog\conf” and rename the attached "SQUID_WIN.conf" file to "nxlog.conf" and copy into this folder.

Open

5. Replace “LCP_IP_Address” with actual LCP IP address in nxlog.conf.

6. Squid Log location needs to be mentioned on line 31 against "File".

7. Now start the nxlog service from services.msc.

8. NxLog agent logs will be available at location "C:\Program Files (x86)\nxlog\data\nxlog.log".

​​

1. Download and Install NxLog agent from location https://nxlog.co/products/nxlog-community-edition/download

2. Go to services.msc and stop the nxlog service.

 Note: Please contact the Accenture Security MDR onboarding team to obtain the certificate.

 3. Place the certificate in the squid server which is obtained from the MDR onboarding team at your desired location.

4. Go to folder "C:\Program Files (x86)\nxlog\data" and delete "configcache.dat".

5. Go to installed location “C:\Program Files (x86)\nxlog\conf” and rename the attached "SQUID_WIN(TLS).conf" file to "nxlog.conf" and copy into this folder.

Open

6. Replace “LCP_IP_Address” with actual LCP IP address in nxlog.conf. Refer the Figure1-1.

7. Squid LOG location needs to be mentioned on line 31 against "File".

8. Provide the certificate path against "CAFile" in the "nxlog.conf".

 Note: Please specify the complete path of Squid log and the certificate with the file name

Example -Squid LOG location  : C:\\Squid\\var\\log\squid\\access.log

Example- Certificate location :  C:\Program Files (x86)\nxlog\cert\cert.pem

1. Now start the nxlog service from services.msc.

2. NxLog agent logs will be available at location "C:\Program Files (x86)\nxlog\data\nxlog.log".

• Click for NON-TLS TCP setup

• Click for TLS TCP setup

1. Download and Install NxLog agent from location https://nxlog.co/products/nxlog-community-edition/download  (There are few dependencies that you need to install and then you can install nxlog on machine.)

2. For Linux Agent , After installation go to installed location “/etc/nxlog.conf”. Rename attached “SQUID_UBUNTU_20.04” to "nxlog.conf" and copy into this folder.

Open

3. Replace “lcpIp” with actual LCP IP in nxlog.conf

4. Change access.log file location on line 24 such as “/var/log/squid/access.log”

5. Allow nxlog service to access squid access.log file.

6. Now start the nxlog service using below command

7. NxLog agent logs will be available at location "/var/log/nxlog/nxlog.log"

8. Restart Squid Service by following the below command. 

​

1. Download and Install NxLog agent from location https://nxlog.co/products/nxlog-community-edition/download .

 Note: Please contact the Accenture Security MDR onboarding team to obtain the certificate.

2. Place the certificate in the squid server which is obtained from the MDR onboarding team at your desired location.

3. For Linux Agent, Go to installed nxlog location “/etc/nxlog.conf”. Rename the attached “SQUID_UBUNTU_20.04(TLS)” file to "nxlog.conf" and copy into this folder.

Open

4. Replace “lcpIp” with actual LCP IP address in nxlog.conf.

5. Change access.log file location against "File" such as “/var/log/squid/access.log”

6. Provide the certificate path against "CAFile" in the "nxlog.conf".

 Note: Please specify the complete path with the file name. 

Example: \tmp\cert.pem

7. Allow nxlog service to access squid access.log file.

8. Now start the nxlog service using below command

9. NxLog agent logs will be available at location "/var/log/nxlog/nxlog.log"

10. Restart Squid Service by following the below command. 

Code Block

LCP Configuration Parameters

Table 1-2: The Squid Web Proxy TCP event collector (Syslog - 3877)properties to be configured by MDR are in table