Logs Explanation
This is an ELFF format with custom strings of:
******************************************************
date time time-taken c-ip sc-status s-action sc-bytes cs-bytes cs-
method cs-uri-scheme cs-host cs-uri-port cs-uri-path cs-uri-query
cs-username cs-auth-group s-hierarchy s-supplier-name rs(Content-
Type) cs(User-Agent) sc-filter-result cs-category x-virus-id s-ip s-
sitename******************************************************
example:
2013-11-07 01:01:11 1 10.10.10.10 304 TCP_HIT 320 894 GET http http://www.martugbo.com 80 /plugins/tt/tt.php ?src=photos/ce3ccf9cc6cfbbea1bce22547f35b950.jpg&w=86&h=56&zc=1&media=1 jon_do USER_Group\WWU-IA-StandardAccess Unknown 10.10.40.66 image/jpeg “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; xs-q__ic9-390M;iwOfva; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; xs-q__ic9-390M;iwOfva)” OBSERVED “none” – 10.10.10.10 SG-HTTP-Service php http://www.marktugbo.com/Fotos/view/id:113-Rheinterrassen+K%C3%B6ln/picture:122/
******************************************************
Explanation:
cs-ip IP address of the destination of the client’s connection(proxy ip address)
c-ip IP address of the client
c-port Source port used by the client
r-ip IP address from the outbound server URL
r-port Port from the outbound server URL
s-ip IP address of the appliance on which the client established its connection(proxy)
s-port Port of the appliance on which the client established its connection(proxy.port)
******************************************************
Common Actions
ALLOWED An FTP method (other than the data transfer method) is successful.
DENIED Policy denies a method.
FAILED An error or failure occurred
TUNNELED Successful data transfer operation.
TCP_AUTH_HIT The requested object requires upstre am authentication, and was served
from the cache.
TCP_AUTH_MISS The requested object requires upstream authentication, and was not
served from the cache
TCP_DENIED Access to the requested object was denied by a filter.
TCP_ERR_MISS An error occurred while retrieving
the object from the origin server.
TCP_HIT A valid copy of the requested object was in the cache
TCP_MEM_HIT The requested object was, in its entirety, in RAM.
TCP_MISS The requested object was not in the cache.
TCP_NC_MISS The object returned from the origin server was non-cacheable
TCP_TUNNELED The CONNECT method was used to tunnel this request (generally
proxied HTTPS).
******************************************************
marktugbo.com 