Cisco Cisco Web Security Appliance S170 사용자 가이드
20-16
AsyncOS 8.6 for Cisco Web Security Appliances User Guide
Chapter 20 Monitor System Activity Through Logs
Access Log Files
Transaction Result Codes
Transaction result codes in the access log file describe how the appliance resolves client requests. For
example, if a request for an object can be resolved from the cache, the result code is
example, if a request for an object can be resolved from the cache, the result code is
TCP_HIT
. However,
if the object is not in the cache and the appliance pulls the object from an origin server, the result code
is
is
TCP_MISS
. The following table describes transaction result codes.
ACL Decision Tags
An ACL decision tag is a field in an access log entry that indicates how the Web Proxy handled the
transaction. It includes information from the Web Reputation filters, URL categories, and the scanning
engines.
transaction. It includes information from the Web Reputation filters, URL categories, and the scanning
engines.
%Xr
<IW_comp,6.9,-,"-",-,-,-,-,"
-",-,-,-,"-",-,-,"-","-",-,-
,IW_comp,-,"-","-","Unknown"
,"Unknown","-","-",198.34,0,
-,[Local],"-",37,"W32.CiscoT
estVector",33,0,"WSA-INFECTE
D-FILE.pdf","fd5ef49d4213e05
f448f11ed9c98253d85829614fba
368a421d14e64c426da5e”>
Scanning verdict information. Inside the angled brackets, the
access logs include verdict information from various scanning
engines.
access logs include verdict information from various scanning
engines.
For more information about the values included within the angled
brackets, see
brackets, see
.
%?BLOCK_SUSPE
CT_USER_AGENT,
MONITOR_SUSPE
CT_USER_AGENT
?%<User-Agent:%!
%-%.
CT_USER_AGENT,
MONITOR_SUSPE
CT_USER_AGENT
?%<User-Agent:%!
%-%.
-
Suspect user agent.
Format Specifier
Field Value
Field Description
Result Code
Description
TCP_HIT
The object requested was fetched from the disk cache.
TCP_IMS_HIT
The client sent an IMS (If-Modified-Since) request for an object and the
object was found in the cache. The proxy responds with a 304 response.
object was found in the cache. The proxy responds with a 304 response.
TCP_MEM_HIT
The object requested was fetched from the memory cache.
TCP_MISS
The object was not found in the cache, so it was fetched from the origin
server.
server.
TCP_REFRESH_HIT
The object was in the cache, but had expired. The proxy sent an IMS
(If-Modified-Since) request to the origin server, and the server
confirmed that the object has not been modified. Therefore, the
appliance fetched the object from either the disk or memory cache.
(If-Modified-Since) request to the origin server, and the server
confirmed that the object has not been modified. Therefore, the
appliance fetched the object from either the disk or memory cache.
TCP_CLIENT_REFRESH_MISS
The client sent a “don’t fetch response from cache” request by issuing
the ‘Pragma: no-cache’ header. Due to this header from the client, the
appliance fetched the object from the origin server.
the ‘Pragma: no-cache’ header. Due to this header from the client, the
appliance fetched the object from the origin server.
TCP_DENIED
The client request was denied due to Access Policies.
UDP_MISS
The object was fetched from the origin server.
NONE
There was an error in the transaction. For example, a DNS failure or
gateway timeout.
gateway timeout.