Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Replies 0 replies
  • Subscribers 0 subscribers
  • Views 703 views
  • Users 0 members are here
Options
Suggested

Content Filtering Logging Issues

ScottGlew
I've been taking a look at the Content Filtering syslog messages and noticed a few issues. Here's is a web filtering log line, split into one line per field for both Copernicus and UTM 9.3:

**** Copernicus ****

date=2015-07-28
time=09:00:39
timezone="SAST"
device_name="SF01V"
device_id=SFDemo-a51b4c34
log_id=050901616001
log_type="Content Filtering"
log_component="HTTP"
log_subtype="Allowed"
status=""
priority=Information
fw_rule_id=0
user_name=""
user_gp=""
iap=1
category="Content Delivery"
category_type="Acceptable"
url="cdn.jsdelivr.net/.../sp.js"
contenttype="application/javascript"
override_token=""
httpresponsecode=""
src_ip=172.16.1.2
dst_ip=190.93.247.228
protocol="TCP"
src_port=49775
dst_port=80
sent_bytes=0
recv_bytes=21865
domain=cdn.jsdelivr.net

**** UTM 9.3 ****

2015:03:02-00:39:22
SophosUTM93
httpproxy[5207]:
id="0001"
severity="info"
sys="SecureWeb"
sub="http"
name="http access"
action="pass"
method="GET"
srcip="10.211.55.2"
dstip="23.212.59.57"
user="scott"
ad_domain="WINLAB"
statuscode="200"
cached="0"
profile="REF_DefaultHTTPProfile (Default Web Filter Profile)"
filteraction="REF_DefaultHTTPCFFAction (Default content filter action)"
size="10750"
request="0xe39fe800"
url="dotcom-media.nationalgeographic.com/.../style.css"
referer="www.nationalgeographic.com/"
error=""
authtime="473"
dnstime="68997"
cattime="8792326"
avscantime="34780"
fullreqtime="9604908"
device="0"
auth="2"
ua="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.115 Safari/537.36"
exceptions=""
category="111"
reputation="neutral"
categoryname="Education/Reference"
content-type="text/css"

Issues:
#1: Half of the fields in Copernicus are not qualified with double quotes (""). This could throw off some log parsers.
#2: httpresponsecode never seems to be populated.
#3: Copernicus is missing the following important fields:
- referer
- method
- ua (User agent)
- ad_domain (although this may be implied by the username if domain prefixed?)
- application
- reputation

(Referrer is useful in the Copernicus hit above to see what site was responsible for pulling in the javascript resource on the jsdelivr CDN (http://cdn.jsdelivr.net/snowplow/2.1.2/sp.js))

#4: Copernicus is also missing these fields but there may be good reasons, and/or they may be present in some of the other log events (not Content Filtering):
- filteraction
- profile
- ad_domain (I haven't tested with AD SSO yet - perhaps this is implied by the username if domain prefixed?)
- application
- reputation
- exceptions
- device
- authtime
- dnstime
- cattime
- avscantime
- fullreqtime
- error
- device
- auth
- app-id
- request
- cached

Question:
As "filteraction" and "profile" are no longer included, what is the best way to determine which content filter policy blocked or allowed web traffic? Is this the purpose of the new "fw_rule_id" or "iap" fields?
Unfiltered HTML