Tools: ELFF Format Explanation

Logs Explanation

This is an ELFF format with custom strings of:
date time time-taken c-ip sc-status s-action sc-bytes cs-bytes cs-
method cs-uri-scheme cs-host cs-uri-port cs-uri-path cs-uri-query
cs-username cs-auth-group s-hierarchy s-supplier-name rs(Content-
Type) cs(User-Agent) sc-filter-result cs-category x-virus-id s-ip s-
2013-11-07 01:01:11 1 304 TCP_HIT 320 894 GET http  80 /plugins/tt/tt.php ?src=photos/ce3ccf9cc6cfbbea1bce22547f35b950.jpg&w=86&h=56&zc=1&media=1 jon_do USER_Group\WWU-IA-StandardAccess Unknown image/jpeg “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; xs-q__ic9-390M;iwOfva; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; xs-q__ic9-390M;iwOfva)” OBSERVED “none” – SG-HTTP-Service php
cs-ip IP address of the destination of the client’s connection(proxy ip address)
c-ip IP address of the client
c-port Source port used by the client
r-ip IP address from the outbound server URL
r-port  Port from the outbound server URL
s-ip  IP address of the appliance on which the client established its connection(proxy)
s-port  Port of the appliance on which the client established its connection(proxy.port)

Common Actions
ALLOWED An FTP method (other than the data transfer method) is successful.
DENIED Policy denies a method.
FAILED An error or failure occurred
TUNNELED Successful data transfer operation.
TCP_AUTH_HIT The requested object requires upstre am authentication, and was served
from the cache.
TCP_AUTH_MISS  The requested object requires upstream authentication, and was not
served from the cache
TCP_DENIED Access to the requested object was denied by a filter.
TCP_ERR_MISS An error occurred while retrieving
the object from the origin server.
TCP_HIT  A valid copy of the requested object was in the cache
TCP_MEM_HIT The requested object was, in its entirety, in RAM.
TCP_MISS The requested object was not in the cache.
TCP_NC_MISS The object returned from the origin server was non-cacheable
TCP_TUNNELED The CONNECT method was used to tunnel this request (generally
proxied HTTPS).


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s