Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1207
Views
0
Helpful
3
Replies

Log Subscription Custom Fields Issue

brian-maher
Level 1
Level 1

‎04-27-2012 12:15 PM

Good day.

We currently use the IronPort S670.  In the the Log Subscription, section, we are trying to get a custom Log Subscription that uses the Access Logs.

Bellow is I have inputed in the Custum Fields area of the Log Subscription:

Date %v|Time %V|Unix_TimeStamp %t|Client_IP %a|Client_Source_Port %F|Destination_Port %p|Source_IP %k|Source_Hostname %d|Source_CPU_Name %N|Request_URI %U|Full_URL %Y|Cookie_Header %C|Referrer %<Referrer:|Forwarded_for %f|Elapsed_Time %e|Bytes %B|Request_Size %q|MYEND|

                  

I do get all the fields and the format I requested in my log files, however, my issue is that is adds the default logs to it it as well. 

Sample of log file output: In bold, the custom fields I requested, the rest before, is the default log output.


1335539582.805 359 10.159.56.158 TCP_CLIENT_REFRESH_MISS/200 6699 POST http://ca.mg5.mail.yahoo.com- DIRECT/ca.mg5.mail.yahoo.com text/plain DEFAULT_CASE_11-PHAC_Access-PHAC_Access-NONE-NONE-NONE-DefaultGroup <IW_mail,-,"1","-",-,-,-,"1","-",-,-,-,"-","1",-,"-","-",-,-,IW_mail,-,"-","-","Yahoo Mail","Webmail","Unknown","-",149.28,0,-,"-","-"> - Date 2012-04-27|Time 15:13:02|Unix_TimeStamp 1335539582.805|Client_IP 10.159.56.158|Client_Source_Port 4934|Destination_Port 80|Source_IP 98.136.145.154|Source_Hostname ca.mg5.mail.yahoo.com|Source_CPU_Name ca.mg5.mail.yahoo.com|Request_URI ws/mail/v2.0/js?|Full_URL http://ca.mg5.mail.yahoo.com/ "Cookie: B=0nlkn2p7dairm&b=4&d="|Referrer -|Forwarded_for -|Elapsed_Time 359|Bytes 8756|Request_Size 2057|MYEND|

Is there a way to have the custom log subscriptions, to only show the custom fields selected?

Thank you for all your assistance.

Cheers

Labels:
0 Helpful
3 Replies 3

Ken Stieers
VIP
VIP

‎04-27-2012 12:28 PM

To be clear, you want an AccessLogs subscription, but with none of the defaults, correct?

If you use a W3C log instead of an accces logs, you can pick which fields you can use, so you could remove them all, and just add the ones you want using the custom fields.

I'd try creating a new log subscription, pick W3C Logs as the log type, pull out all of the other log fields and put your string in the Custom Fields box...

Ken

0 Helpful

brian-maher
Level 1
Level 1
In response to Ken Stieers

‎04-27-2012 12:56 PM

You are correct Ken.  I just want my customs and not the defaults.

I've also created a W3C custom to test your theory.   I should know shortly.

Thanks for the advise.

0 Helpful

sfiebran
Cisco Employee
Cisco Employee
In response to brian-maher

‎05-02-2012 11:55 AM

best is to go with a new W3C log subscription and specify each field you require. When you're in the section, you can click on Custom Fields and then choose "Custom Formatting in Access Logs and W3C Logs" to get a full overview of possible tokens.

0 Helpful
Customers Also Viewed These Support Documents