Step‑by‑Step Guide to Install and Configure SARG for Squid Proxy Log Analysis

After introducing Squid proxy basics in a previous article, this guide presents SARG (Squid Analysis Report Generator), an open‑source tool that parses Squid access logs and produces HTML reports showing visited sites, bandwidth usage, and user activity.

1. Deploying SARG

Install GD library

# yum -y install gd gd-devel

Install SARG

# mkdir /usr/local/sarg
# cd /usr/local/sarg/
# tar zxf sarg-2.3.7.tar.gz
# cd sarg-2.3.7
# ./configure --prefix=/usr/local/sarg/ -sysconfdir=/etc/sarg --enable-extraprotection && make && make install

Key configuration flags:

-sysconfdir=/etc/sarg: directory for configuration files

--enable-extraprotection: adds extra security protection

Sample sarg.conf settings

# vi /etc/sarg/sarg.conf
7   access_log /usr/local/squid/var/logs/access.log   // Squid access log path
25  title "Squid User Access Reports"               // Web page title
120 output_dir /var/www/html/sarg                  // Report output directory
178 user_ip no                                       // Hide usernames
184 topuser_sort_field connect reverse               // Sort top users by connections descending
190 user_sort_field connect reverse                 // Sort per‑user records
206 exclude_hosts /usr/local/sarg/noreport           // Hosts excluded from ranking
257 overwrite_report no                              // Do not overwrite existing reports
289 mail_utility mailq.postfix                       // Command to send mail reports
434 charset UTF-8                                    // Character set
518 weekdays 0-6                                     // Weekday range for top sorting (0 = Sunday)
525 hours 9-12,14-16,18-20                           // Time periods for top sorting
633 www_document_root /var/www/html                  // Web root directory

Running SARG

Create the exclude‑hosts file and start the report:

# touch /usr/local/sarg/noreport
# ln -s /usr/local/sarg/bin/sarg /usr/local/bin/
# sarg

2. SARG command‑line options

-a: specify hostnames or IPs to exclude from ranking

-b: output user‑agent log file

-c: set custom exclude‑hosts list file

-d: define date range

-e: set report recipient email

-f: specify configuration file

-g: define input date format

-h: display help information

-i: choose sorting by username or IP address

-l: absolute path to Squid log file

-o: output path for HTML reports (run as non‑admin user)

-p: use IP address as userid domain

-w: temporary directory (ensure >1 GB free space)

3. Scheduling with cron

Example daily script ( daily.sh) to generate a report for the previous day:

# vim /usr/local/sarg/daily.sh
#!/bin/bash
TODAY=$(date +%d/%m/%Y)
YESTERDAY=$(date --date "1 day ago" +%d/%m/%Y)
/usr/local/bin/sqmgrlog -l /usr/local/squid/logs/access.log -o /var/www/html/sarg -z -d $YESTERDAY-$TODAY &> /dev/null
exit 0
# chmod +x /usr/local/sarg/daily.sh
# crontab -e
00 00 * * * /usr/local/sarg/daily.sh
# chkconfig crond on

Similar scripts can be adapted for weekly, monthly, or email‑based reports.

4. Common issues and fixes

RPM installation failures – add --force --nodeps to the rpm -ivh command to ignore dependency checks.

"Unknown sort order 'BYTES' for parameter 'topuser_sort_field'" – edit sarg.conf line 184 to remove the word BYTES, leaving topuser_sort_field connect reverse, then rerun sarg.