Menu
▾
▴
#147 Denied report not produced because it is empty
Compiled version sarg-2.3.3-pre1 May-21-2012
Denied report not generated. I have it set to generate all reports in the config. Only "Top sites" and "Sites and users" appear. On a users page it does show "DENIED" by the corresponding entries.
If I run sarg -x -z it reports:
"SARG: TAG: report_type topusers topsites sites_users users_sites date_time denied auth_failures site_user_time_date downloads"
...
"SARG: (info) Denied report not produced because it is empty"
Thanks
She1123
Ok, I've generated more traffic through Squid now and the "Denied" report is showing. It's missing some stuff though. For example, this entry from the access.log isn't reported?
1340730527.847 0 192.168.1.4 TCP_DENIED/302 375 GET http://www.bbc.co.uk/something - NONE/- text/html
I have found ticket 3030992 too and I can't see how it's that.
In the config I've upped it in case:
denied_report_limit 100
The highest count on that page is a host with 11 entries. The one I'm testing with only has 2 but should have a good couple more. Denied page just doesn't seem to be updating from the first time it did?
Right, nailed it! Is this really intended behaviour though? If I put in a failure URL in Squid against a denied ACL it does not showed up on the denied list. It is in the access log as http code 302, redirected. I assume this is why. If I remove the failure URL from the config so that it uses the Squid built in one, it's a http error 403, access denied, in the access log. The general user log understands it is a denied page though still. So why doesn't the dedicated denied page? :)
A user's entry is reported as denied if the status code of the HTTP request is not OK. Therefore, a redirection is flagged as "denied" along with any 20x (with x>0) or 30x. I admit it's a bit unclear and misleading as any non OK status is said to be denied...
As you have guessed, a 302 status code is not an error and should not show up in the denied report. I have no better solution to offer. Servers send legitimate redirections. They must not be reported as denied accesses. Is there anything in your sample log that could be used to distinguish a genuine redirection that eventually succeed from a squid redirection resulting from a denied access?
Hi Frederic
I understand how a 302 can and often is used by web sites genuinely, so fair enough.
The log from Squid does distinguish though:
1340882247.933 0 192.168.1.100 TCP_DENIED/403 2711 GET http://www.bbc.co.uk/somepage - NONE/- text/html
1340885487.974 0 192.168.1.100 TCP_DENIED/302 381 GET http://www.bbc.co.uk/somepage - NONE/- text/html
This is a test I did. On the first entry it is not using a custom failure URL so issueing a 403. The 2nd line with a 302 is after I added a custom failure URL to that ACL and is redirecting. Both contain "TCP_DENIED" though as access has been denied :)
Thanks
She1123