Re: WSA : The user agent and the username are not enclosed in quotes

spacemeb · ‎08-06-2021

Hello,

We have observed the following:

“It has been identified that the following Cisco Ironport device, has wrong log formatting:
drwsasrv01 @ x.x.x.x
More specifically, the user agent and the username are not enclosed in quotes.
<14>Mar 23 17:07:09 x.x.x.x IRONPORT_SYSLOG: Info: x.x.x.x 54989 x.x.x.x 443 2021-03-23 15:07:09 CONNECT tunnel://select-d.openx.net:443/ 2 200 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36 select-d.openx.net 231 - 39 - NONAME\NONAME@AD <"IW_busi",5.0,1,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,"IW_busi",-,"-","Business and Industry","-","Unknown","Unknown","-","-",1.34,0,-,"-","-",-,"-",-,-,"-","-",-,-,"-",-> DECRYPT_WBRS_7-NONAME_VPN_decryption-AD_Profile-NONE-NONE-NONE-DefaultGroup-NONE -
Furthermore, it was also identified that the "proxy referer" is not logged on this device.”

Have you any idea what we should troubleshoot first?

Thanks

spacemeb · ‎08-07-2021

anyone?

fw_mon · ‎10-19-2021

Hello @spacemeb

still experiencing the problem? Does it applied to all log events or on small part only?

amojarra · ‎05-17-2022

@spacemeb

If the issue is still there:

[1] Kindly advise, if you are viewing these logs from Syslog server or WSA CLI > grep

[2] is this issue for all access logs or some of them

[3] please let us know if the Anonymization is checked in the Access log or not?