Logs formats that can be used with Reporter client

book

Article ID: 167360

calendar_today

Updated On:

Products

Reporter

Issue/Introduction

Can I use a streaming log format to send access log information to Reporter, via the Reporter client?

Can I use SSL log format to send access log information to Reporter, via the Reporter client?

Can I use a Custom log format to sent access log information to Reporter, via the Reporter client?

I'm configuring my Secure Gateway (SG) appliance to stream logs to my Reporter server, via the Reporter client; what type can I send?

Resolution

The only log format we support is the Main HTTP and HTTPS  types. Sending other types of access logs can crash the Reporter server, and consequently corrupt the database.

To check what type of log your SG is sending you, you can open up the logsources.cfg file in a text editor and look for the faculty type as per the below example. Here, I've highlighted in bold the different types that were being sent to this reporter.  As you can see this server had Main, SSL, and streaming being sent to it, which was causing the server to crash. We only want "main" type logs sent via the Reporter client. The labels matched the type, but, technically Reporter doesn't care about the label.

 log_sources = {
  assigned = {
    assigned_16f5fa39194f9f01308da3097802aXXX = {
      ipaddr = "10.10.10.254"
      facility = "main"
      proxy = "1.2.3.4 - Blue Coat SG510 Series"
      serial = "4307104150"
      ttl = "12/16/2009 11:17:40"
      database = "database_1b8f9260e96b11de8973f0004d08XXX"
      label = "main"
      type = "sgp"
      state = "enable"
    } # assigned_16f5fa39194f9f01308da3097802aXXX
    assigned_5867e10017c3640131a971811d003ee4 = {
      ipaddr = "10.10.10.254"
      facility = "ssl"
      proxy = "4.3.2.1 - Blue Coat SG510 Series"
      serial = "4307104150"
      ttl = "12/16/2009 11:26:26"
      database = "database_1b8f9260e96b11de8973f0004d08XXX"
      label = "ssl"
      type = "sgp"
      state = "enable"
    } # assigned_5867e10017c3640131a971811d003XXX
    assigned_ed0200711733d5443e5db459303be5c1 = {
      ipaddr = "10.10.10.254"
      facility = "streaming"
      proxy = "6.5.4.3 - Blue Coat SG510 Series"
      serial = "4307104150"
      ttl = "12/16/2009 14:54:56"
      database = "database_1b8f9260e96b11de8973f0004d088XXX"
      label = "streaming"
      type = "sgp"
      state = "enable"
    } # assigned_ed0200711733d5443e5db459303beXXX
  } # assigned
  templates = ""
  unassigned = ""
} # log_sources
 

NOTE1:   The above configuration file was taken off of a reporter server that was configured to stream logs to it, via the Reporter client SG feature. Below is an example of how this same file would look like if you were pulling the access logs from a local folder.  While we don't see the 'facility' option in this file, the result is the same; If we attempt to pull in access logs that are not of the main type we can potentially crash, and corrupt the database.

assigned = {
    assigned_78e70ac0a1df11de9ce4f0004c9098f8 = {
      type = "hfp"
      post = "move"
      process_subdirectories = "false"
      match_compressed = "true"
      state = "disable"
      filename = "*.log"
      label = "UAT"
      database = "database_7d2d34c09d5111de84f6f0004c88e761"
      dirname = "E:/BCRData/SYDN/Inbound"
      move_pathname = "E:/BCRData/Processed"

NOTE 2: You find this file either in the diagnostics zip file,  uploaded to the SR, or in the settings folder in the Reporter installed folder.

NOTE 3: SSL MAIN logs are supported, but only using the FTP upload configuration.  For more details please see these other KB articles:

For how to configure the SG to send it's access logs up to Reporter via FTP see: https://support.symantec.com/en_US/search.html?product=&keyword=TECH241121