Thanks again for the explanation
I'm not changing the raw squid log, only the normalised event. I'm simply
pulling out the url host (the FQDN) from the URL as my SIEM agent doesn't
natively understand how to parse these CONNECT messages. It doesnt matter
to me if CONNECT requests are not always
On 10/04/2017 1:36 p.m., daveh wrote:
> Thanks for the reply.
>
> Im parsing squid logs to send to a SIEM to identify IOCs. The SIEM agent
> requires a URL to be formatted with http|https://
>
> It knows then that it can break the string out into various components such
> as request URL authority
Thanks for the reply.
Im parsing squid logs to send to a SIEM to identify IOCs. The SIEM agent
requires a URL to be formatted with http|https://
It knows then that it can break the string out into various components such
as request URL authority, host etc
Your comment on logging https connection
On 5/04/2017 6:00 p.m., daveh wrote:
> Hi squid users
>
> Is there any way to change the request url log format for HTTPS messages?
>
> I am using %ru to pull out the URL. When we get https connections, we see
> the url logged as www.microsoft.com:443
You are assumping that URI means HTTPS. It
Hi squid users
Is there any way to change the request url log format for HTTPS messages?
I am using %ru to pull out the URL. When we get https connections, we see
the url logged as www.microsoft.com:443
is there any way to reformat the log message to remove the appended port? or
to go further a
