The username field in the raw access logs will be empty for the denied HTTPS websites that are exempted from SSL interception.

When any source\destination is exempted from SSL interception, WSS will still intercept SSL if a block policy matches that specific transaction in order to display the exception page to the user. This is called “Interception on Exception”

When WSS is doing interception on exception, the policy transaction will not match an authentication rule, therefore, the raw access logs will not record the username.