Skip to content
/ Elastic-Squid Public

A simple Docker Compose project that makes use of Elastic to monitor Squid proxy logs

License

Unlicense license
0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

lluked/Elastic-Squid

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

5 Commits
elastic
elastic
 
 
squid
squid
 
 
.env
.env
 
 
.gitattributes
.gitattributes
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
docker-compose.yml
docker-compose.yml
 
 

Repository files navigation

Elastic-Squid

A Docker Compose project that makes use of Elastic to monitor Squid proxy logs. This project makes use of:

  • Elasticsearch
  • Kibana
  • Filebeat
  • Squid

Elastic

The Docker Compose file was originally based on Start the Elastic Stack with Docker Compose, however now:

  • All elastic based configurations have been moved from environment variables into their own config files.
  • Only one Elasticsearch node is being used.
  • The setup service has had its commands moved out into a script with a supporting file for defining instances, rather than the file being created by the script.
  • Filebeat and Squid services have been added.

Squid

Squid is built from source to be able to carry out ssl bumping. Please refer to docker-squid for more information. Squid is configured to bind to ports 3128 (normal) and 3129 (ssl bumping) on the host and sends logs via syslog to Filebeat. Filebeat then uses the Squid module to parse logs, and forward to Elasticsearch.

Instructions

  • Read the notes.

  • Launch the project with docker-compose up from the project directory.

  • Wait for all the services to start, this may take a while.

  • Set the proxy in your web browser to localhost:3128 or localhost:3129 for ssl inspection. Firefox works best as Chrome and Edge use system wide settings. If using the ssl bump port squid-certs/myCA.der needs installing as mentioned in the docker-squid repository.

  • Perform some web activity.

  • Visit Kibana at localhost:5601, login with the default credentials elastic:changeme.

  • Once logged in select the burger navigation icon, select Management -> Stack Management, select Kibana -> Data Views, you will then be prompted to create a data view. Create one with the Name matching the index pattern, filebeat-*, and set the Timestamp field to @timestamp. You will only be able to created a data view after data has been forwarded over from the proxy so this needs to be done after performing some web activity and there may be a slight delay.

  • You can now view logs under Discover, under the navigation icon, by changing the data view to filebeat-*.

  • Analyse the data and then create visualisations and dashboards to extract more information.

Notes

  • If you haven't run the Elastic Stack before you may come into errors related to memory allocation and be asked to set sysctl.vm.max_map_count to 262144.

Windows

To set sysctl.vm.max_map_count create or append to the .wslconfig file in your home directory with the following config:

[wsl2]
kernelCommandLine = "sysctl.vm.max_map_count=262144"

Linux

To set sysctl.vm.max_map_count run sysctl -w vm.max_map_count=262144 as root.

macOS

Open docker desktop, go to Settings -> Resources -> Memory and set to around 4GB.

About

A simple Docker Compose project that makes use of Elastic to monitor Squid proxy logs

Resources

Readme

License

Unlicense license
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases 1

Initial release Latest
Mar 2, 2022

Packages

No packages published

Languages