Cisco Cisco Web Security Appliance S360 Guía Del Usuario
A-15
AsyncOS 10.0 for Cisco Web Security Appliances User Guide
Appendix A Troubleshooting
Logging Problems
•
•
Custom URL Categories Not Appearing in Access Log Entries
When a web access policy group has a custom URL category set to Monitor and some other component,
such as the Web Reputation Filters or the DVS engine, makes the final decision to allow or block a
request for a URL in the custom URL category, then the access log entry for the request shows the
predefined URL category instead of the custom URL category.
such as the Web Reputation Filters or the DVS engine, makes the final decision to allow or block a
request for a URL in the custom URL category, then the access log entry for the request shows the
predefined URL category instead of the custom URL category.
Logging HTTPS Transactions
HTTPS transactions in the access logs appear similar to HTTP transactions, but with slightly different
characteristics. What gets logged depends on whether the transaction was explicitly sent or transparently
redirected to the HTTPS Proxy:
characteristics. What gets logged depends on whether the transaction was explicitly sent or transparently
redirected to the HTTPS Proxy:
•
TUNNEL. This gets written to the access log when the HTTPS request was transparently redirected
to the HTTPS Proxy.
to the HTTPS Proxy.
•
CONNECT. This gets written to the access log when the HTTPS request was explicitly sent to the
HTTPS Proxy.
HTTPS Proxy.
When HTTPS traffic is decrypted, the access logs contain two entries for a transaction:
•
TUNNEL or CONNECT depending on the type of request processed.
•
The HTTP Method and the decrypted URL. For example, “GET https://ftp.example.com”.
The full URL is only visible when the HTTPS Proxy decrypts the traffic.
Alert: Unable to Maintain the Rate of Data Being Generated
AsyncOS for Web sends a critical email message to the configured alert recipients when the internal
logging process drops web transaction events due to a full buffer.
logging process drops web transaction events due to a full buffer.
By default, when the Web Proxy experiences a very high load, the internal logging process buffers events
to record them later when the Web Proxy load decreases. When the logging buffer fills completely, the
Web Proxy continues to process traffic, but the logging process does not record some events in the access
logs or in the Web Tracking report. This might occur during a spike in web traffic.
to record them later when the Web Proxy load decreases. When the logging buffer fills completely, the
Web Proxy continues to process traffic, but the logging process does not record some events in the access
logs or in the Web Tracking report. This might occur during a spike in web traffic.
However, a full logging buffer might also occur when the appliance is over capacity for a sustained
period of time. AsyncOS for Web continues to send the critical email messages every few minutes until
the logging process is no longer dropping data.
period of time. AsyncOS for Web continues to send the critical email messages every few minutes until
the logging process is no longer dropping data.
The critical message contains the following text:
Reporting Client: The reporting system is unable to maintain the rate of data being
generated. Any new data generated will be lost.
If AsyncOS for Web sends this critical message continuously or frequently, the appliance might be over
capacity. Contact Cisco Customer Support to verify whether or not you need additional Web Security
appliance capacity.
capacity. Contact Cisco Customer Support to verify whether or not you need additional Web Security
appliance capacity.