Cisco Cisco Web Security Appliance S690 User Guide

The access logs indicate whether or not an upload request was scanned by either the Cisco Data Security 
filters or an external DLP server. The access log entries include a field for the Cisco Data Security scan 
verdict and another field for the External DLP scan verdict based. 

In addition to the access logs, the Web Security appliance provides the following log file types to 
troubleshoot Cisco Data Security and External DLP Policies:

Data Security Logs. Records client history for upload requests that are evaluated by the Cisco Data 
Security filters.

Data Security Module Logs. Records messages related to the Cisco Data Security filters.

Default Proxy Logs. In addition recording errors related to the Web Proxy, the default proxy logs 
include messages related to connecting to external DLP servers. This allows you to troubleshoot 
connectivity or integration problems with external DLP servers.

The following text illustrates a sample Data Security Log entry: 

To learn when data transfer, such as a POST request, to a site was blocked by the external DLP server, 
search for the IP address or hostname of the DLP server in the access logs. 

Mon Mar 30 03:02:13 2009 Info: 303 10.1.1.1 - - 

<<bar,text/plain,5120><foo,text/plain,5120>> 

BLOCK_WEBCAT_IDS-allowall-DefaultGroup-DefaultGroup-NONE-DefaultRouting ns server.com nc

Mon Mar 30 03:02:13 2009 Info:

Timestamp and trace level

303

Transaction ID

10.1.1.1

Source IP address

-

User name

-

Authorized group names

<<bar,text/plain,5120><foo,text/

plain,5120>>

File name, file type, file size for each file uploaded at once

This field does not include text/plain files that are less 
than the configured minimum request body size, the 
default of which is 4096 bytes. 

BLOCK_WEBCAT_IDS-allowall-Default

Group-DefaultGroup-NONE-DefaultRo

uting

Cisco Data Security policy and action

ns

Web reputation score

server.com

Outgoing URL

nc

URL category