06-28-2012 02:37 AM
I have asked before but haven't gotten an answer I can use. The question is very simple; where is the documentation for how to read trace-logs from the Web Security Appliance? We have S160 with the latest AsyncOS.
Example; The appliance blocks a request to a java applet after logging into www.survey-xact.dk/login. I checked the URL with the policy trace and it reported successful, no problem there.. However, the java applet was blocked. I used HTTPwatch and found that the Java applet generated a request to another IP-address. I did a grep on the access-log and came up with some data. How do I interpret the output? (see below) I don't understand any of the codes etc, and there's hardly any documentation on this. The solution in this case was to add the IP to the https bypass-list and it worked. However, we have so many ip-addresses and URL's on that list now that I'm considering taking out the proxy and replace it with an ordinary URL-filter instead. What's the point of having a proxy when you can't read from the logs WHY it blocks access to an IP? The best solution must be to find out why the proxy blocks the access, and then configure it to allow the proxy without having to add everything to the bypass-list??
Enter the regular expression to grep.
[]> 217.195.184.80
Do you want this search to be case insensitive? [Y]>
Do you want to search for non-matching lines? [N]>
Do you want to tail the logs? [N]> y
Do you want to paginate the output? [N]>
Press Ctrl-C to stop.
1340875127.247 97 172.17.21.78 TCP_MISS_SSL/200 0 TCP_CONNECT 217.195.184.80:443 - DIRECT/217.195.184.80 - DECRYPT_WBRS_7-DefaultGroup-DSBHK-NONE-NONE-NONE-DefaultGroup <IW_busi,0.0,"-","-",-,-,-,"-","-",-,-,-,"-","-",-,"-","-",-,-,IW_busi,-,"-","-","Unknown","Unknown","-","-",0.00,0,-,"-","-"> -
1340875127.391 108 172.17.21.78 TCP_MISS_SSL/200 2545 GET https://www.survey-xact.dk:443/smartdesigner.jnlp?surveyid=255703 - DIRECT/217.195.184.80 text/xml DEFAULT_CASE_11-DSBaccess-DSBHK-NONE-NONE-NONE-NONE <IW_busi,0.0,"0","-",0,0,0,"1","-",-,-,-,"-","1",-,"-","-",-,-,IW_busi,-,"Unknown","-","Unknown","Unknown","-","-",188.52,0,-,"-","-"> -
1340875127.515 366 172.17.21.78 TCP_MISS_SSL/200 0 TCP_CONNECT 217.195.184.80:443 - DIRECT/217.195.184.80 - DECRYPT_WBRS_7-DefaultGroup-DSBHK-NONE-NONE-NONE-DefaultGroup <IW_busi,0.0,"-","-",-,-,-,"-","-",-,-,-,"-","-",-,"-","-",-,-,IW_busi,-,"-","-","Unknown","Unknown","-","-",0.00,0,-,"-","-"> -
1340875128.526 370 172.17.21.78 TCP_MISS_SSL/200 0 TCP_CONNECT 217.195.184.80:443 - DIRECT/217.195.184.80 - DECRYPT_WBRS_7-DefaultGroup-DSBHK-NONE-NONE-NONE-DefaultGroup <IW_busi,0.0,"-","-",-,-,-,"-","-",-,-,-,"-","-",-,"-","-",-,-,IW_busi,-,"-","-","Unknown","Unknown","-","-",0.00,0,-,"-","-"> -
1340875128.668 92 172.17.21.78 TCP_CLIENT_REFRESH_MISS_SSL/304 227 GET https://www.survey-xact.dk:443/smartdesigner/logo64.gif - DIRECT/217.195.184.80 - DEFAULT_CASE_11-DSBaccess-DSBHK-NONE-NONE-NONE-NONE <IW_busi,0.0,"0","-",0,0,0,"-","-",-,-,-,"-","-",-,"-","-",-,-,IW_busi,-,"Unknown","-","Unknown","Unknown","-","-",19.74,0,-,"-","-"> -
1340875129.769 97 172.17.21.78 TCP_MISS_SSL/200 0 TCP_CONNECT 217.195.184.80:443 - DIRECT/217.195.184.80 - DECRYPT_WBRS_7-DefaultGroup-DSBHK-NONE-NONE-NONE-DefaultGroup <IW_busi,0.0,"-","-",-,-,-,"-","-",-,-,-,"-","-",-,"-","-",-,-,IW_busi,-,"-","-","Unknown","Unknown","-","-",0.00,0,-,"-","-"> -
1340875129.875 91 172.17.21.78 TCP_MISS_SSL/200 0 TCP_CONNECT 217.195.184.80:443 - DIRECT/217.195.184.80 - DECRYPT_WBRS_7-DefaultGroup-DSBHK-NONE-NONE-NONE-DefaultGroup <IW_busi,0.0,"-","-",-,-,-,"-","-",-,-,-,"-","-",-,"-","-",-,-,IW_busi,-,"-","-","Unknown","Unknown","-","-",0.00,0,-,"-","-"> -
How do I interpret
06-29-2012 03:59 AM
Hello,
Most of the logs are squid so the below link gives a decent expalnation:
http://www.comfsm.fm/computing/squid/FAQ-6.html
The bit between the chevrons, <>, are the IronPort part and they should be pretty straight foraward.
Thanks
Chris
07-08-2012 05:31 PM
Hi,
The IronPort user guide has detailed explanation on the fields included in the access logs:
Kind Regards
Jaki
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide