Cisco Cisco Web Security Appliance S170 사용자 가이드
24-26
Cisco IronPort AsyncOS 7.7 for Web User Guide
Chapter 24 Logging
W3C Compliant Access Logs
•
BLOCK_AMW_RESP_11-AccessPol. This transaction matched the “AccessPol” Access Policy
group, and the due to the settings defined in that policy group, the server response was blocked due
to detected malware.
group, and the due to the settings defined in that policy group, the server response was blocked due
to detected malware.
•
3.0 in the angled brackets. The URL received a Web Reputation Score of 3.0, which fell in the
score range to scan further.
score range to scan further.
•
24 in the angled brackets. The malware scanning verdict Webroot passed to the DVS engine which
corresponds to Trojan Phisher.
corresponds to Trojan Phisher.
•
“Trojan-Phisher-Gamec”. The name of the malware that Webroot scanned.
W3C Compliant Access Logs
The Web Security appliance provides two different log types for recording Web Proxy transaction
information, the access logs and the W3C access logs. The W3C access logs are W3C compliant, and
record transaction history in the W3C Extended Log File (ELF) Format.
information, the access logs and the W3C access logs. The W3C access logs are W3C compliant, and
record transaction history in the W3C Extended Log File (ELF) Format.
You can create multiple W3C access log subscriptions and define the data to include in each. You might
want to create one W3C access log that includes all information your organization typically needs, and
other, specialized W3C access logs that can be used for troubleshooting purposes or special analysis. For
example, you might want to create a W3C access log for an HR manager that only needs access to certain
information.
want to create one W3C access log that includes all information your organization typically needs, and
other, specialized W3C access logs that can be used for troubleshooting purposes or special analysis. For
example, you might want to create a W3C access log for an HR manager that only needs access to certain
information.
Consider the following rules and guidelines when working with W3C access logs:
•
You define what data is recorded in each W3C access log subscription.
•
The W3C logs are self-describing. The file format (list of fields) is defined in a header at the start
of each log file.
of each log file.
•
Fields in the W3C access logs are separated by a white space.
•
If a field contains no data for a particular entry, a hyphen ( - ) is included in the log file instead.
•
Each line in the W3C access log file relates to one transaction, and each line is terminated by a LF
sequence.
sequence.
•
When defining a W3C access log subscription, you can choose from a list of predefined log fields
or enter a custom log field. For more information, see
or enter a custom log field. For more information, see
•
If you want to use a third party log analyzer tool to read and parse the W3C access logs, you might
need to include the “timestamp” field. The timestamp W3C field displays time since the UNIX
epoch, and most log analyzers only understand time in this format.
need to include the “timestamp” field. The timestamp W3C field displays time since the UNIX
epoch, and most log analyzers only understand time in this format.
•
If you want to copy the log fields included in a W3C access log in their order, use the
logconfig >
edit
CLI command. The CLI displays the log fields in order, from which you can copy and then
paste them into a separate Web Security appliance web interface.
W3C Log File Headers
Each W3C log file contains header text at the beginning of the file. Each line starts with the # character
and provides information about the Web Security appliance that created the log file. The W3C log file
headers also include the file format (list of fields), making the log file self-describing.
and provides information about the Web Security appliance that created the log file. The W3C log file
headers also include the file format (list of fields), making the log file self-describing.