Anyone else have other

abadcabassa · ‎06-02-2017

Hello,

I am attempting to figure out what workstation a website request originated from that the firewall is reporting that came from the WSA proxy. When I search the proxy for the specific URL I get nothing. I have noticed a behavior that if the proxy returns gateway timeout to the client, the action is not found via the web tracking. I have also done CLI for some of the log files on there with no luck. Can anyone confirm what I am seeing and or knows a way to accomplish what I am trying to do? Thank you in advance.

Ken Stieers · ‎06-02-2017

You should be able to GREP the access log to find it.

Log in to the WSA via the CLI.

Run GREP.

Pick the access log (might have to page up, stock install its "1", but if you've added any logs it might be 2 or 3.

Escape the dots when you enter the web site (eg. "www\.google\.com")

abadcabassa · ‎06-02-2017

Thank you. That sounded promising but it did not find anything. Our DNS logs show this specific proxy looking up this name but I still cannot find the attempt to surf registered on the proxy. On a good note, thanks for telling me about escaping the dots. I did not know that since I am spoiled with using the SMA to look at the web tracking.

abadcabassa · ‎06-05-2017

Anyone else have other suggestions on this? Thank you Ken for the help thus far.

Handy Putra · ‎06-11-2017

If the WSA returning for "gateway timeout" normally WSA will logs this as "None/504" code.

You can grep the accesslogs to list out the HTTP code 504 using regular expression such as /504

And if you have added %L in the logs subscription of the WSA accesslogs (custom fileds) it will list out the local time of the appliance for each transactions, you can then filter more from the grep to see those transactions based on the time.

You can use second condition to grep the accesslogs such as:

/504.*12/Jun/2017:13:18:16

Regards

Handy Putra

Is there a way to view a log entry for an uncessful connection