Web Prevent Diagnostics and Troubleshooting.
Network Prevent for Web creates several log files that should help with troubleshooting.
Operational Log
This file will be located in main logs directory, e.g.,
\ProgramData\Symantec\DataLossPrevention\DetectionServer\15.8.00000\logs
By default, it has the name WebPrevent_OperationalX.log (where X is a number 0,1,2,...).
One can change the number of files being stored and their sizes in FileReaderLogging.properties. To do so, change these values appropriately:
com.vontu.icap.log.IcapOperationalLogHandler.limit = 5000000
com.vontu.icap.log.IcapOperationalLogHandler.count = 5
All messages delivered to the facility have a defined Category and Code that map to a concrete meaning. Messages are generally formatted as:
Date and Time |
[Log Level] |
(Event Code) |
Event description |
The tables below document defined operational logging data for each Category. Note: The italicized part of text are event parameters.
Operational events
Code |
Text / Description |
1100 |
Starting Web Prevent |
1101 |
Shutting down Web Prevent |
Connectivity events
Code |
Text / Description |
1200 |
Listening for incoming connections at icap_bind_address:icap_bind_port |
1201 |
Connection (id=conn_id) opened from host(icap_client_ip:icap_client_port) |
1202 |
Connection (id=conn_id) closed(close_reason) |
1203 |
Connection stat: REQMOD=no_reqmod, RESPMOD=no_respmod, OPTIONS=no_options, OTHERS=no_others. |
Connectivity errors
Code |
Text / Description |
5200 |
Failed to create listener at icap_bind_address:icap_bind_port |
5201 |
Connection rejected from unauthorized host(host_ip:host_port) |
Access Log
This file will be located in main logs directory, e.g.,
\ProgramData\Symantec\DataLossPrevention\DetectionServer\15.8.00000\logs
By default, it has the name WebPrevent_AccessX.log (where X is a number 0,1,2,...).
One can change the number of files being stored and their sizes in FileReaderLogging.properties. To do so, change these values appropriately:
com.vontu.icap.log.IcapAccessLogHandler.limit = 5000000
com.vontu.icap.log.IcapAccessLogHandler.count = 5
Access logs are similar to Web Access Logs, which a proxy admin is used to look at (hopefully). It does have a specific format of logging messages and the description of the format is logged at every successful start of the web prevent system.
The description should look as follow:
# host_ip "auth_user" time_stamp "request_line" icap_status_code request_size "referer" "user_agent" processing_time(ms) conn_id client_ip client_port action_code icap_method_code traffic_source_code msg_uid
# Web Prevent starting: start_time (start_time format will be: 13/Aug/2008:03:11:22:015-0700)
A field that is listed with quotes in field description message will have values listed in quotes in log messages. For a request which could not determine the field values will have - or "" as default value.
Fields |
Explanation |
host_ip |
end host that made the request |
auth_user |
authorized user for this request |
time_stamp |
time when the request was received by web prevent (request arrival time) |
request_line |
line representing request |
icap_status_code |
ICAP response code sent by web prevent for this request |
request_size |
request size in bytes |
referer |
referer header value from request |
user_agent |
user agent associated with the request |
processing_time(ms) |
request processing time in millisecond (ms) - value includes receiving + content inspection + sending time |
conn_id |
connection id associated with the request |
client_ip |
ip of the ICAP client (proxy) |
client_port |
port of the ICAP client (proxy) |
action_code |
an integer representing the action taken by web prevent |
icap_method_code |
an integer representing the ICAP method associated with this request |
traffic_source_code |
identifies traffic source as Tablet/Web/Unknown |
msg_uid |
unique message identifier associated with request |
Note:
action_code and icap_method_code are integer values and their interpretation can be found in IcapActionType.java and IcapMethod.java respectively.
action code value |
Interpretation |
0 |
UNKNOWN |
1 |
ALLOW |
2 |
BLOCK |
3 |
REDACT |
4 |
ERROR |
5 |
ALLOW_WITHOUT_INSPECTION |
6 |
OPTIONS_RESPONSE |
7 |
REDIRECT |
icap_method_code |
Interpretation |
-1 |
ILLEGAL |
0 |
OPTIONS |
1 |
REQMOD |
2 |
RESPMOD |
3 |
LOG |
Protocol Debug Logs
There are times when it is important to see what content was received by Web Prevent and what it responded with. This can now be done via the Enforce Server console:
#java.util.logging.FileHandler.limit = 5000000
java.util.logging.FileHandler.limit = 10000000
#java.util.logging.FileHandler.count = 8
java.util.logging.FileHandler.count = 25
#java.util.logging.FileHandler.level = FINER
java.util.logging.FileHandler.level = FINEST
#added for troubleshooting ICAP
com.vontu.icap.level = FINEST
After saving the changes, recycle the server.
The traces will be generated in the "Icap.TraceFolder". It will have a filename as "timestamp-conn_id". The first line of the trace file provides information about connecting host IP and port along with a timestamp. Data read from wire will follow format "<< timestamp no_of_bytes_read". Data written on wire will follow format ">> timestamp no_of bytes_written". The last line should have the connection closed being reported.
NOTE: The amount of data generated on enabling traces will be huge. Make sure you have a good amount of free space available on disk. Also, the content written in the file is in clear text.
NOTE: After completing tests remember to revert all changes