The steps to define the new Access Log follow:
Step 1: Define an Access Log format that contains the variables:
s-supplier-name - Name of the site being accessed
s-supplier-ip - IP address of the site being accessed.
- Go to: Configuration > Access Logging > Formats.
- Click New.
- Create a format called Attack_format.
- Click Apply.
- Click Edit/view.
- Change the format to the following string:
date time time-taken c-ip cs-username cs-auth-group x-exception-id sc-filter-result cs-categories cs(Referer) sc-status s-action cs-method rs(Content-Type) cs-uri-scheme cs-host cs-uri-port cs-uri-path cs-uri-query cs-uri-extension cs(User-Agent) s-ip sc-bytes cs-bytes x-virus-id x-bluecoat-application-name x-bluecoat-application-operation s-supplier-name s-supplier-ip
7. Click Apply.
Step 2. Next create a log that has Attack_format
as its format.
- Go to Configuration > Access logging > logs
- Click New, and add a name such as attack_alog.
- In the pull down, chose the format you created previously (Attack_format).
- Click Apply.
Step 3. Create policy that will write to the new log, attack_alog
. Do the following
- In the VPM, create a new Web Access Layer.
- Add a rule, Source = any, Destination = any, Service = any, Time = any, Action > Modify access log.
- Chose Enabling logging to attack_alog.
- Install the policy.
4. Finally, configure the upload client to be the FTP client.
Using the log attack_alog,
you will be able to identify the source of an attack on a website.