Web Prevent Diagnostics and Troubleshooting
Article ID: 159426
Updated On:
Products
Issue/Introduction
Web Prevent Diagnostics and Troubleshooting.
Resolution
Network Prevent for Web creates several log files that should help with troubleshooting.
Operational Log
This file will be located in main logs directory, e.g.,
\ProgramData\Symantec\DataLossPrevention\DetectionServer\DLP_version\logs
By default, it has the name WebPrevent_OperationalX.log (where X is a number 0,1,2,...).
One can change the number of files being stored and their sizes in FileReaderLogging.properties. To do so, change these values appropriately:
com.vontu.icap.log.IcapOperationalLogHandler.limit = 5000000
com.vontu.icap.log.IcapOperationalLogHandler.count = 5
All messages delivered to the facility have a defined Category and Code that map to a concrete meaning. Messages are generally formatted as:
The tables below document defined operational logging data for each Category. Note: The italicized part of the text is event parameters.
Operational events
| Code | Text / Description |
| 1100 | Starting Web Prevent |
| 1101 | Shutting down Web Prevent |
Connectivity events
| Code | Text / Description |
| 1200 | Listening for incoming connections at icap_bind_address:icap_bind_port icap_bind_address is the web prevent bind address on which the server will listen. Can be set in Advanced Settings field: Icap.BindAddress. icap_bind_port is the port at which the server will listen. It is set in Server->Configure page. |
| 1201 | Connection (id=conn_id) opened from host(icap_client_ip:icap_client_port) icap_client_ip and icap_client_port is the proxy's ip and port from which connect operation to Web Prevent was performed. conn_id is the connection id allocated to this connect operation. It is helpful in doing correlation between multiple logs. |
| 1202 | Connection (id=conn_id) closed(close_reason) conn_id is the connection id allocated to this connect operation. It is helpful in doing correlation between multiple logs. close_reason provides the reason for/of closing the connection. |
| 1203 | Connection stat: REQMOD=no_reqmod, RESPMOD=no_respmod, OPTIONS=no_options, OTHERS=no_others. This message provides the system state in terms of connection management. It will be logged whenever a connection is opened or closed. If the internal health check is disabled (Icap.DisableHealthCheck set to true), the connection stat will be printed every five minutes. no_reqmod, no_respmod, no_options, and no_others are the numbers indicating the number of connections in each state when this message was logged. |
Connectivity errors
| Code | Text / Description |
| 5200 | Failed to create listener at icap_bind_address:icap_bind_port icap_bind_address is the web prevent bind address on which the server will listen. Can be set in Advanced Settings field: Icap.BindAddress. icap_bind_port is the port at which the server will listen. It is set in Server > Configure page. |
| 5201 | Connection rejected from unauthorized host(host_ip:host_port) host_ip and host_port is the systems ip and port from which connect operation to Web Prevent was performed. This host is not listed in Icap.AllowHosts in Advanced settings and will be unable to form a connection |
Access Log
This file will be located in the main logs directory, e.g.,
\ProgramData\Symantec\DataLossPrevention\DetectionServer\DLP_version\logs
By default, it has the name WebPrevent_AccessX.log (where X is a number 0,1,2,...).
One can change the number of files being stored and their sizes in FileReaderLogging.properties. To do so, change these values appropriately:
com.vontu.icap.log.IcapAccessLogHandler.limit = 5000000
com.vontu.icap.log.IcapAccessLogHandler.count = 5
Access logs are similar to Web Access Logs, which a proxy admin is used to look at (hopefully). It does have a specific format of logging messages and the description of the format is logged at every successful start of the web prevent system.
The description should look as follows:
# host_ip "auth_user" time_stamp "request_line" icap_status_code request_size "referer" "user_agent" processing_time(ms) conn_id client_ip client_port action_code icap_method_code traffic_source_code msg_uid
# Web Prevent starting: start_time (start_time format will be: 13/Aug/2008:03:11:22:015-0700)
A field that is listed with quotes in the field description message will have values listed in quotes in log messages. For a request that could not determine the field values will have - or "" as the default value.
| Fields | Explanation |
| host_ip | end host that made the request |
| auth_user | authorized user for this request |
| time_stamp | time when the request was received by web prevent (request arrival time) |
| request_line | line representing request |
| icap_status_code | ICAP response code sent by web prevent for this request |
| request_size | request size in bytes |
| referer | referer header value from request |
| user_agent | user agent associated with the request |
| processing_time(ms) | request processing time in millisecond (ms) - value includes receiving + content inspection + sending time |
| conn_id | connection id associated with the request |
| client_ip | ip of the ICAP client (proxy) |
| client_port | port of the ICAP client (proxy) |
| action_code | an integer representing the action taken by web prevent |
| icap_method_code | an integer representing the ICAP method associated with this request |
| traffic_source_code | identifies traffic source as Tablet/Web/Unknown |
| msg_uid | unique message identifier associated with request |
NOTE: action_code and icap_method_code are integer values, and their interpretation can be found in IcapActionType.java and IcapMethod.java respectively.
| action code value | Interpretation |
| 0 | UNKNOWN |
| 1 | ALLOW |
| 2 | BLOCK |
| 3 | REDACT |
| 4 | ERROR |
| 5 | ALLOW_WITHOUT_INSPECTION |
| 6 | OPTIONS_RESPONSE |
| 7 | REDIRECT |
| icap_method_code | Interpretation |
| -1 | ILLEGAL |
| 0 | OPTIONS |
| 1 | REQMOD |
| 2 | RESPMOD |
| 3 | LOG |
NOTE: traffic_source_code is an integer corresponding to enum values defined in IncidentType.java
| traffic_source_code | Interpretation |
| 0 | TABLET |
| 1 | NETWORK/WEB |
| 2 | UNKNOWN |
| exclude_reason | Interpretation |
| 0 | NOT_EXCLUDED |
| 1 | UNSUPPORTED_METHOD |
| 2 | NOT_NULL_BODY |
| 3 | HEALTH_CHECK |
| 4 | URL_FILTER |
| 5 | USER_AGENT_FILTER |
| 6 | LICENSE_CONSTRAINT |
| 7 | CONTENT_TYPE_FILTER |
| 8 | REQUEST_SIZE |
Protocol Debug Logs
There are times when it is important to see what content was received by Web Prevent and what it responded with. This can now be done via the Enforce Server console:
- Go on Advanced Setting of the DLP Web Prevent (detection server) and set "Icap.EnableTrace" to true instead of false
- Go on Advanced Setting of the DLP Web Prevent (detection server) and in the "Icap.TraceFolder" provide the folder location, for example, C:\NPW_Tests
- Create the same folder on DLP Web Prevent (detection server) - for example, C:\NPW_Tests
- Ensure that the user ID under which the services run (typically "protect") has rights to read and write to the folder specified in the "Icap.TraceFolder" field.
- For comprehensive logging of ICAP communications, change the following in the FileReaderLogging.properties [located in C:\Program Files\Symantec\DataLossPrevention\DetectionServer\DLPVersion\Protect\config]:
#java.util.logging.FileHandler.limit = 5000000
java.util.logging.FileHandler.limit = 10000000
#java.util.logging.FileHandler.count = 8
java.util.logging.FileHandler.count = 25
#java.util.logging.FileHandler.level = FINER
java.util.logging.FileHandler.level = FINEST
#added for troubleshooting ICAP
com.vontu.icap.level = FINEST
After saving the changes, recycle the server.
The traces will be generated in the "Icap.TraceFolder". It will have a filename as "timestamp-conn_id". The first line of the trace file provides information about connecting host IP and port along with a timestamp. Data read from wire will follow format "<< timestamp no_of_bytes_read". Data written on wire will follow format ">> timestamp no_of bytes_written". The last line should have the connection closed being reported.
NOTE: The amount of data generated on enabling traces will be huge. Make sure you have a good amount of free space available on disk. Also, the content written in the file is in clear text.
NOTE: After completing tests remember to revert all changes
Feedback
