Cisco Cisco Web Security Appliance S360 用户指南

下载
页码 486
A-15
AsyncOS 10.0 for Cisco Web Security Appliances User Guide
 
Appendix A      Troubleshooting
  Logging Problems
Custom URL Categories Not Appearing in Access Log Entries
When a web access policy group has a custom URL category set to Monitor and some other component, 
such as the Web Reputation Filters or the DVS engine, makes the final decision to allow or block a 
request for a URL in the custom URL category, then the access log entry for the request shows the 
predefined URL category instead of the custom URL category. 
Logging HTTPS Transactions
HTTPS transactions in the access logs appear similar to HTTP transactions, but with slightly different 
characteristics. What gets logged depends on whether the transaction was explicitly sent or transparently 
redirected to the HTTPS Proxy:
TUNNEL. This gets written to the access log when the HTTPS request was transparently redirected 
to the HTTPS Proxy. 
CONNECT. This gets written to the access log when the HTTPS request was explicitly sent to the 
HTTPS Proxy.
When HTTPS traffic is decrypted, the access logs contain two entries for a transaction:
TUNNEL or CONNECT depending on the type of request processed.
The HTTP Method and the decrypted URL. For example, “GET https://ftp.example.com”.
The full URL is only visible when the HTTPS Proxy decrypts the traffic.
Alert: Unable to Maintain the Rate of Data Being Generated
AsyncOS for Web sends a critical email message to the configured alert recipients when the internal 
logging process drops web transaction events due to a full buffer.
By default, when the Web Proxy experiences a very high load, the internal logging process buffers events 
to record them later when the Web Proxy load decreases. When the logging buffer fills completely, the 
Web Proxy continues to process traffic, but the logging process does not record some events in the access 
logs or in the Web Tracking report. This might occur during a spike in web traffic.
However, a full logging buffer might also occur when the appliance is over capacity for a sustained 
period of time. AsyncOS for Web continues to send the critical email messages every few minutes until 
the logging process is no longer dropping data.
The critical message contains the following text:
Reporting Client: The reporting system is unable to maintain the rate of data being 
generated. Any new data generated will be lost.
 
If AsyncOS for Web sends this critical message continuously or frequently, the appliance might be over 
capacity. Contact Cisco Customer Support to verify whether or not you need additional Web Security 
appliance capacity.