Cisco Cisco Web Security Appliance S690 사용자 가이드
21-20
AsyncOS 10.0 for Cisco Web Security Appliances User Guide
Chapter 21 Monitor System Activity Through Logs
Web Proxy Information in Access Log Files
Interpreting Access Log Scanning Verdict Entries
The access log file entries aggregate and display the results of the various scanning engines, such as URL
filtering, Web Reputation filtering, and anti-malware scanning. The appliance displays this information
in angled brackets at the end of each access log entry.
filtering, Web Reputation filtering, and anti-malware scanning. The appliance displays this information
in angled brackets at the end of each access log entry.
The following text is the scanning verdict information from an access log file entry. In this example, the
Webroot scanning engine found the malware:
Webroot scanning engine found the malware:
Note
For an example of a whole access log file entry, see
Each element in this example corresponds to a log-file format specifier as shown in the following table:
PASSTHRU_WEBCAT
The Web Proxy passed through the transaction based on URL
category filtering settings for the Decryption Policy group.
category filtering settings for the Decryption Policy group.
PASSTHRU_WBRS
The Web Proxy passed through the transaction based on the
Web Reputation filter settings for the Decryption Policy group.
Web Reputation filter settings for the Decryption Policy group.
REDIRECT_CUSTOMCAT
The Web Proxy redirected the transaction to a different URL
based on a custom URL category in the Access Policy group
configured to “Redirect.”
based on a custom URL category in the Access Policy group
configured to “Redirect.”
SAAS_AUTH
The Web Proxy allowed the user access to the application
because the user was authenticated transparently against the
authentication realm configured in the Application
Authentication Policy.
because the user was authenticated transparently against the
authentication realm configured in the Application
Authentication Policy.
OTHER
The Web Proxy did not complete the request due to an error,
such as an authorization failure, server disconnect, or an abort
from the client.
such as an authorization failure, server disconnect, or an abort
from the client.
ACL Decision Tag
Description
<IW_infr,ns,24,"Trojan-Phisher-Gamec",0,354385,12559,-,"-",-,-,-,"-",-,-,"-","-",-,-,
IW_infr,-,"Trojan Phisher","-","Unknown","Unknown","-","-",489.73,0,-,[Local],"-"
,37,"W32.CiscoTestVector",33,0,"WSA-INFECTED-FILE.pdf","fd5ef49d4213e05f448f11ed9c98253d
85829614fba368a421d14e64c426da5e”>
Position Field Value
Format Specifier Description
1
IW_infr
%XC
The custom URL category assigned to the transaction, abbreviated.
This field shows “nc” when no category is assigned.
This field shows “nc” when no category is assigned.
2
ns
%XW
Web Reputation filters score. This field either shows the score as a
number, “ns” for no score, or “dns” when there is a DNS lookup error.
number, “ns” for no score, or “dns” when there is a DNS lookup error.
3
24
%Xv
The malware scanning verdict Webroot passed to the DVS engine.
Applies to responses detected by Webroot only.
Applies to responses detected by Webroot only.
For more information, see
4
“Trojan-Phisher-Gamec”
“%Xn”
Name of the spyware that is associated with the object. Applies to
responses detected by Webroot only.
responses detected by Webroot only.