What is the Webprevent_Access log description

book

Article ID: 159780

calendar_today

Updated On:

Products

Data Loss Prevention Network Prevent for Web

Issue/Introduction

What is the format and description of the Webprevent_Access log.

Resolution

# host_ip "auth_user" time_stamp "request_line" icap_status_code request_size "referer" "user_agent" processing_time(ms) conn_id client_ip client_port action_code icap_method_code traffic_source_code msg_uid

 

 

A field that is listed with quotes in field description message will have values listed in quotes in log messages. For a request which could not determine the field values will have - or "" as default value.

 

Fields Explanation
host_ip end host that made the request
auth_user authorized user for this request
time_stamp time when the request was received by web prevent (request arrival time)
request_line line representing request
icap_status_code ICAP response code sent by web prevent for this request
request_size request size in bytes
referer referer header value from request
user_agent user agent associated with the request
processing_time(ms) request processing time in millisecond (ms) - value includes receiving + content inspection + sending time
conn_id connection id associated with the request
client_ip ip of the ICAP client (proxy)
client_port port of the ICAP client (proxy)
action_code an integer representing the action taken by web prevent
icap_method_code an integer representing the ICAP method associated with this request
traffic_source_code identifies traffic source as Tablet/Web/Unknown
msg_uid unique message identifier associated with request

 

Note:
action_code and icap_method_code are integer values and their interpretation can be found in IcapActionType.java and IcapMethod.java respectively.

action code value Interpretation
0 UNKNOWN
1 ALLOW
2 BLOCK
3 REDACT
4 ERROR
5 ALLOW_WITHOUT_INSPECTION
6 OPTIONS_RESPONSE
7 REDIRECT
icap_method_code Interpretation
-1 ILLEGAL
0 OPTIONS
1 REQMOD
2 RESPMOD
3 LOG

traffic_source_code is an integer corresponding to enum values defined in IncidentType.java

traffic_source_code Interpretation
0 TABLET - for Tablet Only License
1 NETWORK - for Network Prevent for Web Only License
2 UNKNOWN - for Network Prevent for Web + Tablet license and request fails to match UserAgent / IP range checks. Incident (if generated) will be categorized as Network