Showing results for 
Search instead for 
Did you mean: 

Log Subscription Custom Fields Issue

Good day.

We currently use the IronPort S670.  In the the Log Subscription, section, we are trying to get a custom Log Subscription that uses the Access Logs.

Bellow is I have inputed in the Custum Fields area of the Log Subscription:

Date %v|Time %V|Unix_TimeStamp %t|Client_IP %a|Client_Source_Port %F|Destination_Port %p|Source_IP %k|Source_Hostname %d|Source_CPU_Name %N|Request_URI %U|Full_URL %Y|Cookie_Header %C|Referrer %<Referrer:|Forwarded_for %f|Elapsed_Time %e|Bytes %B|Request_Size %q|MYEND|


I do get all the fields and the format I requested in my log files, however, my issue is that is adds the default logs to it it as well. 

Sample of log file output: In bold, the custom fields I requested, the rest before, is the default log output.

1335539582.805 359 TCP_CLIENT_REFRESH_MISS/200 6699 POST DIRECT/ text/plain DEFAULT_CASE_11-PHAC_Access-PHAC_Access-NONE-NONE-NONE-DefaultGroup <IW_mail,-,"1","-",-,-,-,"1","-",-,-,-,"-","1",-,"-","-",-,-,IW_mail,-,"-","-","Yahoo Mail","Webmail","Unknown","-",149.28,0,-,"-","-"> - Date 2012-04-27|Time 15:13:02|Unix_TimeStamp 1335539582.805|Client_IP|Client_Source_Port 4934|Destination_Port 80|Source_IP|Source_Hostname|Source_CPU_Name|Request_URI ws/mail/v2.0/js?|Full_URL "Cookie: B=0nlkn2p7dairm&b=4&d="|Referrer -|Forwarded_for -|Elapsed_Time 359|Bytes 8756|Request_Size 2057|MYEND|

Is there a way to have the custom log subscriptions, to only show the custom fields selected?

Thank you for all your assistance.


Everyone's tags (5)

Log Subscription Custom Fields Issue

To be clear, you want an AccessLogs subscription, but with none of the defaults, correct?

If you use a W3C log instead of an accces logs, you can pick which fields you can use, so you could remove them all, and just add the ones you want using the custom fields.

I'd try creating a new log subscription, pick W3C Logs as the log type, pull out all of the other log fields and put your string in the Custom Fields box...



Log Subscription Custom Fields Issue

You are correct Ken.  I just want my customs and not the defaults.

I've also created a W3C custom to test your theory.   I should know shortly.

Thanks for the advise.

Cisco Employee

Re: Log Subscription Custom Fields Issue

best is to go with a new W3C log subscription and specify each field you require. When you're in the section, you can click on Custom Fields and then choose "Custom Formatting in Access Logs and W3C Logs" to get a full overview of possible tokens.