[squid-users] https log message formatting help

daveh timor at iinet.net.au
Tue Apr 11 05:33:31 UTC 2017


Thanks again for the explanation


I'm not changing the raw squid log, only the normalised event. I'm simply
pulling out the url host (the FQDN) from the URL as my SIEM agent doesn't
natively understand how to parse these CONNECT messages.  It doesnt matter
to me if CONNECT requests are not always https requests. For my purposes I
need to compare the FQDN to a list of IOCs.

If I have a use case specific to the use of CONNECT requests in the future,
I still have all of that  information as is, from the proxy.





--
View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/https-log-message-formatting-help-tp4681994p4682048.html
Sent from the Squid - Users mailing list archive at Nabble.com.


More information about the squid-users mailing list