SARG – Squid Analysis Report Generator and Internet Bandwidth Monitoring Tool

SARG is an open source tool that allows you to analyse the squid log files and generates beautiful reports in HTML format with informations about users, IP addresses, top accessed sites, total bandwidth usage, elapsed time, downloads, access denied websites, daily reports, weekly reports and monthly reports.

The SARG is very handy tool to view how much internet bandwidth is utilized by individual machines on the network and can watch on which websites the network’s users are accessing.

Install Sarg Squid Log Analyzer

Install Sarg Squid Log Analyzer in Linux

In this article I will guide you on how to install and configure SARGSquid Analysis Report Generator on RHEL/CentOS/Fedora and Debian/Ubuntu/Linux Mint systems.

Installing Sarg – Squid Log Analyzer in Linux

I assume that you already installed, configured and tested Squid server as a transparent proxy and DNS for the name resolution in caching mode. If not, please install and configure them first before moving further installation of Sarg.

Important: Please remember without the Squid and DNS setup, no use of installing sarg on the system it will won’t work at all. So, it’s a request to install them first before proceeding further to Sarg installation.

Follow these guides to install DNS and Squid in your Linux systems:

Install Cache-Only DNS Server
  1. Install Cache Only DSN Server in RHEL/CentOS 7
  2. Install Cache Only DSN Server in RHEL/CentOS 6
  3. Install Cache Only DSN Server in Ubuntu and Debian
Install Squid as Transparent Proxy
  1. Setting Up Squid Transparent Proxy in Ubuntu and Debian
  2. Install Squid Cache Server on RHEL and CentOS

Step 1: Installing Sarg from Source

The ‘sarg‘ package by default not included in RedHat based distributions, so we need to manually compile and install it from source tarball. For this, we need some additional pre-requisites packages to be installed on the system before compiling it from source.

On RedHat/CentOS/Fedora
# yum install –y gcc gd gd-devel make perl-GD wget httpd

Once you’ve installed all the required packages, download the latest sarg source tarball or you may use the following wget command to download and install it as shown below.

# wget http://liquidtelecom.dl.sourceforge.net/project/sarg/sarg/sarg-2.3.10/sarg-2.3.10.tar.gz
# tar -xvzf sarg-2.3.10.tar.gz
# cd sarg-2.3.10
# ./configure
# make
# make install
On Debian/Ubuntu/Linux Mint

On Debian based distributions, sarg package can be easily install from the default repositories using apt-get package manager.

$ sudo apt-get install sarg

Step 2: Configuring Sarg

Now it’s time to edit some parameters in SARG main configuration file. The file contains lots of options to edit, but we will only edit required parameters like:

  1. Access logs path
  2. Output directory
  3. Date Format
  4. Overwrite report for the same date.

Open sarg.conf file with your choice of editor and make changes as shown below.

# vi /usr/local/etc/sarg.conf        [On RedHat based systems]
$ sudo nano /etc/sarg/sarg.conf        [On Debian based systems]

Now Uncomment and add the original path to your squid access log file.

# sarg.conf
#
# TAG:  access_log file
#       Where is the access.log file
#       sarg -l file
#
access_log /var/log/squid/access.log

Next, add the correct Output directory path to save the generate squid reports in that directory. Please note, under Debian based distributions the Apache web root directory is ‘/var/www‘. So, please be careful while adding correct web root paths under your Linux distributions.

# TAG:  output_dir
#       The reports will be saved in that directory
#       sarg -o dir
#
output_dir /var/www/html/squid-reports

Set the correct date format for reports. For example, ‘date_format e‘ will display reports in ‘dd/mm/yy‘ format.

# TAG:  date_format
#       Date format in reports: e (European=dd/mm/yy), u (American=mm/dd/yy), w (Weekly=yy.ww)
#
date_format e

Next, uncomment and set Overwrite report to ‘Yes’.

# TAG: overwrite_report yes|no
#      yes - if report date already exist then will be overwritten.
#       no - if report date already exist then will be renamed to filename.n, filename.n+1
#
overwrite_report yes

That’s it! Save and close the file.

Step 3: Generating Sarg Report

Once, you’ve done with the configuration part, it’s time to generate the squid log report using the following command.

# sarg -x        [On RedHat based systems]
# sudo sarg -x        [On Debian based systems]
Sample Output
[[email protected] squid]# sarg -x

SARG: Init
SARG: Loading configuration from /usr/local/etc/sarg.conf
SARG: Deleting temporary directory "/tmp/sarg"
SARG: Parameters:
SARG:           Hostname or IP address (-a) =
SARG:                    Useragent log (-b) =
SARG:                     Exclude file (-c) =
SARG:                  Date from-until (-d) =
SARG:    Email address to send reports (-e) =
SARG:                      Config file (-f) = /usr/local/etc/sarg.conf
SARG:                      Date format (-g) = USA (mm/dd/yyyy)
SARG:                        IP report (-i) = No
SARG:             Keep temporary files (-k) = No
SARG:                        Input log (-l) = /var/log/squid/access.log
SARG:               Resolve IP Address (-n) = No
SARG:                       Output dir (-o) = /var/www/html/squid-reports/
SARG: Use Ip Address instead of userid (-p) = No
SARG:                    Accessed site (-s) =
SARG:                             Time (-t) =
SARG:                             User (-u) =
SARG:                    Temporary dir (-w) = /tmp/sarg
SARG:                   Debug messages (-x) = Yes
SARG:                 Process messages (-z) = No
SARG:  Previous reports to keep (--lastlog) = 0
SARG:
SARG: sarg version: 2.3.7 May-30-2013
SARG: Reading access log file: /var/log/squid/access.log
SARG: Records in file: 355859, reading: 100.00%
SARG:    Records read: 355859, written: 355859, excluded: 0
SARG: Squid log format
SARG: Period: 2014 Jan 21
SARG: Sorting log /tmp/sarg/172_16_16_55.user_unsort
......

Note: The ‘sarg -x’ command will read the ‘sarg.conf‘ configuration file and takes the squid ‘access.log‘ path and generates a report in html format.

Step 4: Assessing Sarg Report

The generated reports placed under ‘/var/www/html/squid-reports/‘ or ‘/var/www/squid-reports/‘ which can be accessed from the web browser using the address.

http://localhost/squid-reports
OR
http://ip-address/squid-reports
Sarg Main Window
Squid Log Analyzer

Sarg Main Window

Specific Date
Date Wise Report

Date Wise Report

User Report
User Bandwidth Report

User Bandwidth Report

Top Accessed Sites
Squid Top Accessed Sites

Top Accessed Sites

Top Sites and Users
Squid Top Accessed Sites and Users

Top Accessed Sites and Users

Top Downloads
Squid Top Downloads

Top Downloads

Denied Access
Squid Denied Access

Denied Access Sites

Authentication Failures
Squid Authentication Failures

Proxy Authentication Failures

Step 5: Automatic Generating Sarg Report

To automate the process of generating sarg report in given span of time via cron jobs. For example, let’s assume you want to generate reports on hourly basis automatically, to do this, you need to configure a Cron job.

# crontab -e

Next, add the following line at the bottom of the file. Save and close it.

* */1 * * * /usr/local/bin/sarg -x

The above Cron rule will generate SARG report every 1 hour.

Reference Links

Sarg Homepage

That’s it with SARG! I will be coming up with few more interesting articles on Linux, till then stay tuned to TecMint.com and don’t forget to add your valuable comments.

If You Appreciate What We Do Here On TecMint, You Should Consider:

TecMint is the fastest growing and most trusted community site for any kind of Linux Articles, Guides and Books on the web. Millions of people visit TecMint! to search or browse the thousands of published articles available FREELY to all.

If you like what you are reading, please consider buying us a coffee ( or 2 ) as a token of appreciation.

Support Us

We are thankful for your never ending support.

Ravi Saive

I am Ravi Saive, creator of TecMint. A Computer Geek and Linux Guru who loves to share tricks and tips on Internet. Most Of My Servers runs on Open Source Platform called Linux. Follow Me: Twitter, Facebook and Google+

Your name can also be listed here. Got a tip? Submit it here to become an TecMint author.

RedHat RHCE and RHCSA Certification Book
Linux Foundation LFCS and LFCE Certification Preparation Guide

You may also like...

135 Responses

  1. max says:

    hi,
    I would like to change the period but I don’t know where it changes.

  2. Juan says:

    Hello People

    Please, I would like to setup this feature in my Suse Server, does this possible?

  3. Juan says:

    Hello Folks,

    I´d like to know the procedure to setup this tool in Suse!!!

    Thanks a lot for your help and support.

  4. dan says:

    Hi, why my “denied accesses” is empty and not present when I’m accessing the http://x.x.x.x/squid-reports?

  5. Fentahun says:

    I have configured sarg in Linux, still it is not generating the report.

  6. Ram says:

    Hi,

    I’ve finished installing SARG but it displays a list of directory instead of the default index page of SARG and from the URL on the browser localhost/squid-reports this appears

    Index of /squid-reports
    [ICO]	Name	Last modified	Size	Description
    [PARENTDIR]	Parent Directory	 	- 	 
    [DIR]	2018Jan11-2018Jan11/	2018-01-11 14:23 	- 	 
    [DIR]	images/	2018-01-11 14:23 	- 	 
    Apache/2.4.18 (Ubuntu) Server at localhost Port 80
    
  7. Adeel says:

    I got this error after configuring SARG.

    Please help.

    SARG: sarg version: 2.3.1 Sep-18-2010
    SARG: Reading access log file: /var/log/squid/access.log
    SARG: Records in file: 3711, reading: 100.00%
    SARG: Records read: 3711, written: 3396, excluded: 0
    SARG: Squid log format
    SARG: Period: 01 Jan 1970
    SARG: pre-sorting files
    SARG: Making file: /tmp/sarg/18705
    SARG: Making file: /tmp/sarg/accounts_google_com_443
    SARG: getword_atoll loop detected after 0 bytes.
    SARG: Line="01/01/1970  05:00:07        172234  CONNECT"
    SARG: Record="TCP_MISS/200      172.16.0.13     +0500   """
    SARG: searching for 'x9'
    SARG: getword backtrace:
    SARG: 1:sarg() [0x4054b7]
    SARG: 2:sarg() [0x405668]
    SARG: 3:sarg() [0x40d41f]
    SARG: 4:sarg() [0x40c183]
    SARG: 5:/lib64/libc.so.6(__libc_start_main+0xfd) [0x3e8de1ed5d]
    SARG: There is a broken record or garbage in file /tmp/sarg/accounts_google_com_443.log
    
  8. Thisara says:

    Hi Thank You very much , it is really interest and useful article. Is it possible to set the login page to access squid-reports? or change URL address to some thing else with out using 10.93.2.1/squid-reports eg 10.93.2.1/reports-sarg/

    Thank You

  9. tuem says:

    Hi Ravi,

    Thanks for your guide, but i have some problem with my Squid. I use Squid 3.5.20 on Centos7 as transparent proxy. But my squid can’t show domain name of destination server like you. So my reports in top Sites are all ip address like xxx.xxx.xxx.xxx:443 for HTTPS conenction. How can i fix it ?

    Thanks a lot !

Got something to say? Join the discussion.

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.