What length can each field in a ProxySG access log go to?


Article ID: 167351


Updated On:


ProxySG Software - SGOS


I want to know ProxySG's accesslog specifications in detail.


Some fields are obvious -- "date" is always YYYY-MM-DD, and "time" is HH:MM:SS. IP addresses are typically IPv4 with a maximum size of 15 characters, but we are also supporting IPv6 now where addresses can be longer (39 characters, or 43 for link-local addresses with interface qualifiers). Integer values are generally,  at the  most,  64 bits, but some of them might be only 32 bits or might even be smaller. For instance, sc-status is generally just a 3-digit number.

Hosts have the usual DNS limits of 255 characters and no more than 63 characters in a label (the pieces between the dots). Ports are limited to 16 bits. Things like methods, schemes, paths, queries, and other header values have no fixed limit, though. It looks like our auth code has a limit of 64 characters on user names and passwords, but,  groups can be much longer -- the number I see in the code at the moment is 512 bytes. Things like exception and virus IDs aren't typically very long in practice, but I don't know of any fixed maximum length.

The Blue Coat Reporter product wants an entire log entry to be less than 24K chars long, and the biggest single field allowed is 8K.

That said, here is a list of the standard fields you see in a "MAIN" type access log, along with their internal “datatypes”.  Some maximums are straightforward, and those are listed,  but fields of type “string” are more complex.  Most strings won’t have a limit beyond the 4-billion+ char,  which is the limit of the datatype. However,  in practice,  they’ll be limited by other factors.  For instance, many of these fields come from the HTTP headers, the sum of which is limited (at least in practice – depending on application) to 8K or less.  

NOTE: Later versions of Proxy increased this limit because of some Kerberos implementations. 

date : "timestamp" - 10 char (YYYY-MM-DD)
time : "timestamp" - 8 char (HH:MM:SS)
time-taken : "unsigned32" - 10 digits
c-ip : "ip" - 15 or 39 chars (depends on if it's IPv4 or IPv6)
cs-username : "string"
cs-auth-group : "string"
x-exception-id : "string"
cs-categoriess-act : "string"
cs(Referer) : "string"
sc-status : "unsigned32" - 10 digits
s-action : "string"
cs-method : "string"
rs(Content-Type) : "string"
cs-uri-scheme : "string"
cs-host : "string"
cs-uri-port : "unsigned32" - 10 digits
cs-uri-path : "string"
cs-uri-query : "string"
cs-uri-extension : "string"
cs(User-Agent) : "string"
sc-filter-result : "string"
s-ip  : "ip" - 15 or 39 chars (depends on if it's IPv4 or IPv6)
sc-bytes : "int64" - 19 digits
cs-bytes : "int64" - 19 digits
x-virus-id : "string