Friday, September 4, 2009

Using SARG on OSX 10.5

If you use Squid on OSX then likely you'll want to analyse your log files.

I've been using SARG (Squid Analysis Report Generator) for some years on OSX 10.4 and apart from the index sort going wrong now and again, its worked well.

Now I need to run it on 10.5, and thats a problem. The 2.08 version comes packages DMG and the installer runs OK, but always I get the error

    SARG: (index) Cannot open file: index.sort
So I thought I would see if I can get 2.231 going. First I downloaded it from There's no installer just a .zip with its files.

After unzipping I placed this inside the applications folder, and then modified sarg.conf to have the same input and output files and directories, and the local locations for languages, exclude_codes etc. Doesn't work. SARG still expects the log file to be in
and wants to output into
This is how to get it running:
  1. download SARG 2.231
  2. unzip etc and put in /Applications
Then from terminal run some commands:
    sudo sudo mkdir /usr/local/sarg2.231
    sudo cp -R /applications/sarg2.231/languages /usr/local/sarg2.231/languages
    sudo cp -R /applications/sarg2.231/exclude_codes /usr/local/sarg2.231/exclude_codes
    sudo cp -R /applications/sarg2.231/images /usr/local/sarg2.231/images
This creates the directories SARG is expecting to find in /usr/local and copies in the various resources.

Now you can copy or move you logs to, say


and then you can run SARG with the

    -l switch to specify the log file
    -o switch to specify the output directory

Then run the command to process your log file
    /applications/sarg2.231/bin/sarg -l /applications/sarg2.231/logs/squid-access.20090715.log -o /applications/sarg2.231/reports

SARG runs and you see the output

SARG: Records in file: 30052, reading: 100.00%
SARG: Successful report generated on /applications/sarg2.231/reports/2008Jul13-2008Jul15

You can then open

to read the output.

Here's the lst of SARG options and switches from man sarg

Show summary of options.

-a [hostname|ip address]
Limits report to records containing the specified hostname/ip address

-b filename
Enables UserAgent log and writes it to filename.

-c filename
Uses filename as the exclude files to select records that are not counted.

-d date
Uses date as the timelimit during logfile processing. Format for date is dd/mm/yyyy-dd/mm/yyyy

-e email
Sends report to email (stdout for console).

-f filename
Reads configuration from filename.

-g e|u
Sets date format in generated reports.
e = Europe -> dd/mm/yy
u = USA -> mm/dd/yy

Generates reports by user and ip address.
NOTE: This requires the 'report_type' option in config file to contain "users_sites".

-l filename
Uses filename as the input log.

Enables ip address resolution.

-o dir
Writes report in dir.

Generates reports using ip address instead of userid.

-s string
Limits report to the site specified by string [eg.]

-t string
Limits records counted in statistics based on time-of-day. Format for string is HH or HH:MM or HH:MM:SS.

-u user
Limits reports to user activities.

-w dir
Uses dir for temporary files.

Writes messages on processes to STDOUT

Writes debug messages to STDOUT

Convert the logfile's date/time field to human-readable.

Split the log file by date in -d parameter.

No comments: