cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
10967
Views
0
Helpful
2
Replies

Howto read debug from Ironport Web Security Appliance

bvj197222
Level 1
Level 1

I have asked before but haven't gotten an answer I can use. The question is very simple; where is the documentation for how to read trace-logs from the Web Security Appliance? We have S160 with the latest AsyncOS.

Example; The appliance blocks a request to a java applet after logging into www.survey-xact.dk/login. I checked the URL with the policy trace and it reported successful, no problem there.. However, the java applet was blocked. I used HTTPwatch and found that the Java applet generated a request to another IP-address. I did a grep on the access-log and came up with some data. How do I interpret the output? (see below) I don't understand any of the codes etc, and there's hardly any documentation on this. The solution in this case was to add the IP to the https bypass-list and it worked. However, we have so many ip-addresses and URL's on that list now that I'm considering taking out the proxy and replace it with an ordinary URL-filter instead. What's the point of having a proxy when you can't read from the logs WHY it blocks access to an IP? The best solution must be to find out why the proxy blocks the access, and then configure it to allow the proxy without having to add everything to the bypass-list??

Enter the regular expression to grep.

[]> 217.195.184.80

Do you want this search to be case insensitive? [Y]>

Do you want to search for non-matching lines? [N]>

Do you want to tail the logs? [N]> y

Do you want to paginate the output? [N]>

Press Ctrl-C to stop.

1340875127.247 97 172.17.21.78 TCP_MISS_SSL/200 0 TCP_CONNECT 217.195.184.80:443 - DIRECT/217.195.184.80 - DECRYPT_WBRS_7-DefaultGroup-DSBHK-NONE-NONE-NONE-DefaultGroup <IW_busi,0.0,"-","-",-,-,-,"-","-",-,-,-,"-","-",-,"-","-",-,-,IW_busi,-,"-","-","Unknown","Unknown","-","-",0.00,0,-,"-","-"> -

1340875127.391 108 172.17.21.78 TCP_MISS_SSL/200 2545 GET https://www.survey-xact.dk:443/smartdesigner.jnlp?surveyid=255703 - DIRECT/217.195.184.80 text/xml DEFAULT_CASE_11-DSBaccess-DSBHK-NONE-NONE-NONE-NONE <IW_busi,0.0,"0","-",0,0,0,"1","-",-,-,-,"-","1",-,"-","-",-,-,IW_busi,-,"Unknown","-","Unknown","Unknown","-","-",188.52,0,-,"-","-"> -

1340875127.515 366 172.17.21.78 TCP_MISS_SSL/200 0 TCP_CONNECT 217.195.184.80:443 - DIRECT/217.195.184.80 - DECRYPT_WBRS_7-DefaultGroup-DSBHK-NONE-NONE-NONE-DefaultGroup <IW_busi,0.0,"-","-",-,-,-,"-","-",-,-,-,"-","-",-,"-","-",-,-,IW_busi,-,"-","-","Unknown","Unknown","-","-",0.00,0,-,"-","-"> -

1340875128.526 370 172.17.21.78 TCP_MISS_SSL/200 0 TCP_CONNECT 217.195.184.80:443 - DIRECT/217.195.184.80 - DECRYPT_WBRS_7-DefaultGroup-DSBHK-NONE-NONE-NONE-DefaultGroup <IW_busi,0.0,"-","-",-,-,-,"-","-",-,-,-,"-","-",-,"-","-",-,-,IW_busi,-,"-","-","Unknown","Unknown","-","-",0.00,0,-,"-","-"> -

1340875128.668 92 172.17.21.78 TCP_CLIENT_REFRESH_MISS_SSL/304 227 GET https://www.survey-xact.dk:443/smartdesigner/logo64.gif - DIRECT/217.195.184.80 - DEFAULT_CASE_11-DSBaccess-DSBHK-NONE-NONE-NONE-NONE <IW_busi,0.0,"0","-",0,0,0,"-","-",-,-,-,"-","-",-,"-","-",-,-,IW_busi,-,"Unknown","-","Unknown","Unknown","-","-",19.74,0,-,"-","-"> -

1340875129.769 97 172.17.21.78 TCP_MISS_SSL/200 0 TCP_CONNECT 217.195.184.80:443 - DIRECT/217.195.184.80 - DECRYPT_WBRS_7-DefaultGroup-DSBHK-NONE-NONE-NONE-DefaultGroup <IW_busi,0.0,"-","-",-,-,-,"-","-",-,-,-,"-","-",-,"-","-",-,-,IW_busi,-,"-","-","Unknown","Unknown","-","-",0.00,0,-,"-","-"> -

1340875129.875 91 172.17.21.78 TCP_MISS_SSL/200 0 TCP_CONNECT 217.195.184.80:443 - DIRECT/217.195.184.80 - DECRYPT_WBRS_7-DefaultGroup-DSBHK-NONE-NONE-NONE-DefaultGroup <IW_busi,0.0,"-","-",-,-,-,"-","-",-,-,-,"-","-",-,"-","-",-,-,IW_busi,-,"-","-","Unknown","Unknown","-","-",0.00,0,-,"-","-"> -

How do I interpret

2 Replies 2

Chris Illsley
Level 3
Level 3

Hello,

Most of the logs are squid so the below link gives a decent expalnation:

http://www.comfsm.fm/computing/squid/FAQ-6.html

The bit between the chevrons, <>, are the IronPort part and they should be pretty straight foraward.

Thanks

Chris

Hi,

The IronPort user guide has detailed explanation on the fields included in the access logs:

Kind Regards

Jaki