Web Prevent Diagnostics and Troubleshooting
search cancel

Web Prevent Diagnostics and Troubleshooting

book

Article ID: 159426

calendar_today

Updated On:

Products

Data Loss Prevention Data Loss Prevention Data Loss Prevention Network Monitor and Prevent for Web

Issue/Introduction

Web Prevent Diagnostics and Troubleshooting.

Resolution

Network Prevent for Web creates several log files that should help with troubleshooting.

Operational Log

This file will be located in main logs directory, e.g.,

\ProgramData\Symantec\DataLossPrevention\DetectionServer\15.8.00000\logs

By default, it has the name WebPrevent_OperationalX.log (where X is a number 0,1,2,...).

One can change the number of files being stored and their sizes in FileReaderLogging.properties. To do so, change these values appropriately:

com.vontu.icap.log.IcapOperationalLogHandler.limit = 5000000
com.vontu.icap.log.IcapOperationalLogHandler.count = 5

All messages delivered to the facility have a defined Category and Code that map to a concrete meaning. Messages are generally formatted as:

Date and Time

[Log Level]

(Event Code)

Event description

 

The tables below document defined operational logging data for each Category. Note: The italicized part of text are event parameters.

 

Operational events

Code

Text / Description

1100

Starting Web Prevent

1101

Shutting down Web Prevent

 

Connectivity events

Code

Text / Description

1200

Listening for incoming connections at icap_bind_address:icap_bind_port

icap_bind_address is the web prevent bind address on which the server will listen. Can be set in Advanced Settings field: Icap.BindAddress.
icap_bind_port is the port at which the server will listen. It is set in Server->Configure page.

1201

Connection (id=conn_id) opened from host(icap_client_ip:icap_client_port)

icap_client_ip and icap_client_port is the proxy's ip and port from which connect operation to Web Prevent was performed.
conn_id is the connection id allocated to this connect operation. It is helpful in doing correlation between multiple logs.

1202

Connection (id=conn_id) closed(close_reason)

conn_id is the connection id allocated to this connect operation. It is helpful in doing correlation between multiple logs.
close_reason provides the reason for/of closing the connection.

1203

Connection stat: REQMOD=no_reqmod, RESPMOD=no_respmod, OPTIONS=no_options, OTHERS=no_others.

This message provides the system state in terms of connection management. It will be logged whenever a connection is opened or closed. If internal health check is disabled (Icap.DisableHealthCheck set to true), the connection stat will be printed every five minutes.
no_reqmod, no_respmod, no_options, and no_others are the numbers indicating the number of connections in each state, when this message was logged.

 

Connectivity errors

Code

Text / Description

5200

Failed to create listener at icap_bind_address:icap_bind_port

icap_bind_address is the web prevent bind address on which the server will listen. Can be set in Advanced Settings field: Icap.BindAddress.
icap_bind_port is the port at which the server will listen. It is set in Server > Configure page.

5201

Connection rejected from unauthorized host(host_ip:host_port)

host_ip and host_port is the systems ip and port from which connect operation to Web Prevent was performed. This host is not listed in Icap.AllowHosts in Advanced settings and will be unable to form a connection

 

Access Log

This file will be located in main logs directory, e.g.,

\ProgramData\Symantec\DataLossPrevention\DetectionServer\15.8.00000\logs

By default, it has the name WebPrevent_AccessX.log (where X is a number 0,1,2,...).

One can change the number of files being stored and their sizes in FileReaderLogging.properties. To do so, change these values appropriately:

com.vontu.icap.log.IcapAccessLogHandler.limit = 5000000
com.vontu.icap.log.IcapAccessLogHandler.count = 5

Access logs are similar to Web Access Logs, which a proxy admin is used to look at (hopefully). It does have a specific format of logging messages and the description of the format is logged at every successful start of the web prevent system.

The description should look as follow:

# host_ip "auth_user" time_stamp "request_line" icap_status_code request_size "referer" "user_agent" processing_time(ms) conn_id client_ip client_port action_code icap_method_code traffic_source_code msg_uid

# Web Prevent starting: start_time (start_time format will be: 13/Aug/2008:03:11:22:015-0700)

A field that is listed with quotes in field description message will have values listed in quotes in log messages. For a request which could not determine the field values will have - or "" as default value.

Fields

Explanation

host_ip

end host that made the request

auth_user

authorized user for this request

time_stamp

time when the request was received by web prevent (request arrival time)

request_line

line representing request

icap_status_code

ICAP response code sent by web prevent for this request

request_size

request size in bytes

referer

referer header value from request

user_agent

user agent associated with the request

processing_time(ms)

request processing time in millisecond (ms) - value includes receiving + content inspection + sending time

conn_id

connection id associated with the request

client_ip

ip of the ICAP client (proxy)

client_port

port of the ICAP client (proxy)

action_code

an integer representing the action taken by web prevent

icap_method_code

an integer representing the ICAP method associated with this request

traffic_source_code

identifies traffic source as Tablet/Web/Unknown

msg_uid

unique message identifier associated with request

Note:
action_code and icap_method_code are integer values and their interpretation can be found in IcapActionType.java and IcapMethod.java respectively.

 

action code value

Interpretation

0

UNKNOWN

1

ALLOW

2

BLOCK

3

REDACT

4

ERROR

5

ALLOW_WITHOUT_INSPECTION

6

OPTIONS_RESPONSE

7

REDIRECT

 

icap_method_code

Interpretation

-1

ILLEGAL

0

OPTIONS

1

REQMOD

2

RESPMOD

3

LOG

 

Protocol Debug Logs

There are times when it is important to see what content was received by Web Prevent and what it responded with. This can now be done via the Enforce Server console:

  1. Go on Advanced Setting of the DLP Web Prevent (detection server) and set "Icap.EnableTrace" to true instead false
  2. Go on Advanced Setting of the DLP Web Prevent (detection server) and in the "Icap.TraceFolder" provide the folder location, for example, C:\NPW_Tests
  3. Create the same folder on  DLP Web Prevent (detection server) - for example, C:\NPW_Tests
  4. Ensure that the user ID under which the services run (typically "protect") has rights to read and write to the folder specified in the "Icap.TraceFolder" field.
  5. For comprehensive logging of ICAP communications, change the following in the FileReaderLogging.properties [located in C:\Program Files\Symantec\DataLossPrevention\DetectionServer\DLPVersion\Protect\config]:

#java.util.logging.FileHandler.limit = 5000000
java.util.logging.FileHandler.limit = 10000000
#java.util.logging.FileHandler.count = 8
java.util.logging.FileHandler.count = 25
#java.util.logging.FileHandler.level = FINER
java.util.logging.FileHandler.level = FINEST

#added for troubleshooting ICAP
com.vontu.icap.level = FINEST

After saving the changes, recycle the server.

The traces will be generated in the "Icap.TraceFolder". It will have a filename as "timestamp-conn_id". The first line of the trace file provides information about connecting host IP and port along with a timestamp. Data read from wire will follow format "<< timestamp no_of_bytes_read". Data written on wire will follow format ">> timestamp no_of bytes_written". The last line should have the connection closed being reported.

NOTE: The amount of data generated on enabling traces will be huge. Make sure you have a good amount of free space available on disk. Also, the content written in the file is in clear text.

NOTE: After completing tests remember to revert all changes

Powered by Wolken Software