Hello everyone,
I forward Squid access logs to QRadar via syslog, following the IBM documentation here: Configuring syslog forwarding
| Ibm |
remove preview |
|
| Configuring syslog forwarding |
| You can configure Squid to use syslog to forward your access and cache events. |
| View this on Ibm > |
|
|
The doc states the log format should be common. Because the common format omits several attributes I need, I tried using extended/custom Squid logformats. The problem is that when I switch away from common, QRadar no longer detects the logs as Squid (they land in generic LinuxServer/AIX sources), so the Squid DSM and custom properties are not applied.
A workaround that appears to work is: keep the common format and append additional attributes. That allows QRadar to recognize the logs, but extracting the appended fields with regex inside QRadar is tedious and much fun.
How do you reliably extend Squid access logs while keeping QRadar’s automatic DSM detection?
Do you maintain a common-compatible prefix and then append fields, or are there better ways to extend the log format?
Thanks in advance for any practical examples — I’d appreciate any tipps to extend common log format.
Best regards,
Reinhard