Web Prevent Diagnostics and Troubleshooting

book

Article ID: 159426

calendar_today

Updated On:

Products

Data Loss Prevention Network Prevent for Web

Issue/Introduction

Web Prevent Diagnostics and Troubleshooting

Resolution

In DLP 9, Network Prevent for Web supportability enhancements were added. These enhancements introduce new log files that should help with troubleshooting.

Operational Log

This file can be located in Vontu/Protect/logs folder and will have a name as WebPrevent_OperationalX.log (where X is a number 0,1,2,...).

One can change the number of files being stored and their sizes in FielReaderLogging.properties. To do so, change these values appropriately:

com.vontu.icap.log.IcapOperationalLogHandler.limit = 5000000
com.vontu.icap.log.IcapOperationalLogHandler.count = 5

All messages delivered to the facility have a defined Category and Code that map to a concrete meaning. Messages are generally formatted as:

Date and Time

[Log Level]

(Event Code)

Event description

The tables below document defined operational logging data for each Category. Note: The italicized part of text are event parameters.

Operational events

Code

Text / Description

1100

Starting Web Prevent

1101

Shutting down Web Prevent

Connectivity events

Code

Text / Description

1200

Listening for incoming connections at icap_bind_address:icap_bind_port

icap_bind_address is the web prevent bind address on which the server will listen. Can be set in Advanced Settings field: Icap.BindAddress.
icap_bind_port is the port at which the server will listen. It is set in Server->Configure page.

1201

Connection (id=conn_id) opened from host(icap_client_ip:icap_client_port)

icap_client_ip and icap_client_port is the proxy's ip and port from which connect operation to Web Prevent was performed.
conn_id is the connection id allocated to this connect operation. It is helpful in doing correlation between multiple logs.

1202

Connection (id=conn_id) closed(close_reason)

conn_id is the connection id allocated to this connect operation. It is helpful in doing correlation between multiple logs.
close_reason provides the reason for/of closing the connection.

1203

Connection stat: REQMOD=no_reqmod, RESPMOD=no_respmod, OPTIONS=no_options, OTHERS=no_others.

This message provides the system state in terms of connection management. It will be logged whenever a connection is opened or closed. If internal health check is disabled (Icap.DisableHealthCheck set to true), the connection stat will be printed every five minutes.
no_reqmod, no_respmod, no_options, and no_others are the numbers indicating the number of connections in each state, when this message was logged.

Connectivity errors

Code

Text / Description

5200

Failed to create listener at icap_bind_address:icap_bind_port

icap_bind_address is the web prevent bind address on which the server will listen. Can be set in Advanced Settings field: Icap.BindAddress.
icap_bind_port is the port at which the server will listen. It is set in Server->Configure page.

5201

Connection rejected from unauthorized host(host_ip:host_port)

host_ip and host_port is the systems ip and port from which connect operation to Web Prevent was performed. This host is not listed in Icap.AllowHosts in Advanced settings and will be unable to form a connection

Access Log

This file can be located in Vontu/Protect/logs folder and will have a name as WebPrevent_AccessX.log (where X is a number 0,1,2,...).

One can change the number of files being stored and their sizes in FielReaderLogging.properties. To do so, change these values appropriately:

com.vontu.icap.log.IcapAccessLogHandler.limit = 5000000
com.vontu.icap.log.IcapAccessLogHandler.count = 5

Access logs are similar to Web Access Logs, which a proxy admin is used to look at (hopefully). It does have a specific format of logging messages and the description of the format is logged at every successful start of the web prevent system.

The description should look as follow:

# host_ip "auth_user" time_stamp "request_line" icap_status_code request_size "referer" "user_agent" processing_time(ms) conn_id client_ip client_port action_code icap_method_code traffic_source_code msg_uid

# Web Prevent starting: start_time (start_time format will be: 13/Aug/2008:03:11:22:015-0700)

A field that is listed with quotes in field description message will have values listed in quotes in log messages. For a request which could not determine the field values will have - or "" as default value.

Fields

Explanation

host_ip

end host that made the request

auth_user

authorized user for this request

time_stamp

time when the request was received by web prevent (request arrival time)

request_line

line representing request

icap_status_code

ICAP response code sent by web prevent for this request

request_size

request size in bytes

referer

referer header value from request

user_agent

user agent associated with the request

processing_time(ms)

request processing time in millisecond (ms) - value includes receiving + content inspection + sending time

conn_id

connection id associated with the request

client_ip

ip of the ICAP client (proxy)

client_port

port of the ICAP client (proxy)

action_code

an integer representing the action taken by web prevent

icap_method_code

an integer representing the ICAP method associated with this request

traffic_source_code

identifies traffic source as Tablet/Web/Unknown

msg_uid

unique message identifier associated with request

Note:
action_code and icap_method_code are integer values and their interpretation can be found in IcapActionType.java and IcapMethod.java respectively.

action code value

Interpretation

0

UNKNOWN

1

ALLOW

2

BLOCK

3

REDACT

4

ERROR

5

ALLOW_WITHOUT_INSPECTION

6

OPTIONS_RESPONSE

7

REDIRECT

icap_method_code

Interpretation

-1

ILLEGAL

0

OPTIONS

1

REQMOD

2

RESPMOD

3

LOG

Protocol Debug Logs

There are times when it is important to see what content was received by Web Prevent and what it responded with. This can now be done via the Enforce console:

  • Go on Advanced Setting of the Web Prevent (detection server) and set "Icap.EnableTrace" to true and provide the folder location in "Icap.TraceFolder" field.
  • Ensure that the user ID under which the services run (typically "protect") has rights to read and write to the folder specified in the "Icap.TraceFolder" field.
  • After saving the changes, recycle the server.

The traces will be generated in the "Icap.TraceFolder". It will have a filename as "timestamp-conn_id". The first line of the trace file provide information about connecting host IP and port along with timestamp. Data read from wire will follow format "<< timestamp no_of_bytes_read". Data written on wire will follow format ">> timestamp no_of bytes_written". The last line should have connection closed being reported.

NOTE: The amount of data generated on enabling traces will be huge. Make sure you have good amount of free memory for available on disk. Also the content written in file is in clear text.

For comprehensive logging of ICAP communications, change the following in the FileReaderLogging.properties and restart the VontuMonitor service:

#java.util.logging.FileHandler.limit = 5000000
java.util.logging.FileHandler.limit = 10000000
#java.util.logging.FileHandler.count = 8
java.util.logging.FileHandler.count = 25
#java.util.logging.FileHandler.level = FINER
java.util.logging.FileHandler.level = FINEST

# added for troublshooting ICAP
com.vontu.icap.level = FINEST