Cisco Cisco Web Security Appliance S690 User Guide
20-14
AsyncOS 8.5 for Cisco Web Security Appliances User Guide
Chapter 20 Monitor System Activity Through Logs
Access Log Files
The following text is an example access log file entry for a single transaction:
1278096903.150 97 172.xx.xx.xx TCP_MISS/200 8187 GET http://my.site.com/ -
DIRECT/my.site.com text/plain
DEFAULT_CASE_11-AccessOrDecryptionPolicy-Identity-OutboundMalwareScanningPolicy-DataSecu
rityPolicy-ExternalDLPPolicy-RoutingPolicy
<IW_comp,6.9,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,IW_comp,-,"-","-","Unknown","Un
known","-","-",198.34,0,-,[Local],"-",37,"W32.CiscoTestVector",33,0,"WSA-INFECTED-FILE.p
df","fd5ef49d4213e05f448f11ed9c98253d85829614fba368a421d14e64c426da5e”> -
Format Specifier
Field Value
Field Description
%t
1278096903.150
Timestamp since UNIX epoch.
%e
97
Elapsed time (latency) in milliseconds.
%a
172.xx.xx.xx
Client IP address.
Note: You can choose to mask the IP address in the access logs
using the
using the
advancedproxyconfig > authentication
CLI
command.
%w
TCP_MISS
Transaction result code.
For more information, see
%h
200
HTTP response code.
%s
8187
Response size (headers + body).
%2r
GET http://my.site.com/
First line of the request.
Note: When the first line of the request is for a native FTP
transaction, some special characters in the file name are URL
encoded in the access logs. For example, the “@” symbol is written
as “%40” in the access logs.
transaction, some special characters in the file name are URL
encoded in the access logs. For example, the “@” symbol is written
as “%40” in the access logs.
The following characters are URL encoded:
& # % + , : ; = @ ^ { } [ ]
%A
-
Authenticated username.
Note: You can choose to mask the username in the access logs
using the
using the
advancedproxyconfig > authentication
CLI
command.
%H
DIRECT
Code that describes which server was contacted for the retrieving
the request content.
the request content.
Most common values include:
•
NONE. The Web Proxy had the content, so it did not contact
any other server to retrieve the content.
any other server to retrieve the content.
•
DIRECT. The Web Proxy went to the server named in the
request to get the content.
request to get the content.
•
DEFAULT_PARENT. The Web Proxy went to its primary
parent proxy or an external DLP server to get the content.
parent proxy or an external DLP server to get the content.
%d
my.site.com
Data source or server IP address.
%c
text/plain
Response body MIME type.