Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Replies 0 replies
  • Subscribers 0 subscribers
  • Views 557 views
  • Users 0 members are here
Options
Suggested

[9.260][QUESTION] User Agent logging in http.log inconsistent

Sascha Paris
EDIT: Dumb me...the missing ua= was due pre 9.260 beta logs (in 9.1 it wasn´t built in). So forget that one below...

No Issue...sorry...[8-)]

*********************************


How and under which circumstances does is the user agent logged in http.log ?

I´ve seen 3 different logging behaviours

Here is no user agent logged at all (even no occurrence of ua="" in the logline) 

/var/log/http/2014/10/http-2014-10-05.log.gz:2014:10:05-20:08:10 asg01 httpproxy[6509]: id="0060" severity="info" sys="SecureWeb" sub="http" name="web request blocked, forbidden category detected" action="block" method="POST" srcip="192.168.20.201" dstip="" user="" ad_domain="" statuscode="403" cached="0" profile="REF_HttProContaLanclNetwo2 (MOBILE_DEVICES_NOMITM)" filteraction="REF_HttCffMobiles (MOBILES)" size="3136" request="0x1190d4f8" url="aax-us-east.amazon-adsystem.com/.../ads" exceptions="" error="" authtime="0" dnstime="0" cattime="43344" avscantime="0" fullreqtime="60158" device="0" auth="0" country="United States" overridecategory="1" reason="category" category="154,154" reputation="unverified" categoryname="Web Ads,Web Ads"


here is a user agent logged 

/var/log/http/2014/10/http-2014-10-09.log.gz:2014:10:09-13:07:23 asg01 httpproxy[6533]: id="0060" severity="info" sys="SecureWeb" sub="http" name="web request blocked, forbidden category detected" action="block" method="POST" srcip="192.168.20.201" dstip="" user="" ad_domain="" statuscode="403" cached="0" profile="REF_HttProContaLanclNetwo2 (MOBILE_DEVICES_NOMITM)" filteraction="REF_HttCffMobiles (MOBILES)" size="3141" request="0xe2674800" url="aax-us-east.amazon-adsystem.com/.../JDQ39)" exceptions="" overridecategory="1" country="Netherlands" reason="category" category="154,154" reputation="unverified" categoryname="Web Ads,Web Ads"


and here is no useragent logged, but the empty ua="" appears in the log - different to first mentioned logline, where no ua="" at all occurred 

/var/log/http/2014/10/http-2014-10-09.log.gz:2014:10:09-17:16:31 asg01 httpproxy[6533]: id="0060" severity="info" sys="SecureWeb" sub="http" name="web request blocked, forbidden category detected" action="block" method="CONNECT" srcip="192.168.20.203" dstip="" user="" ad_domain="" statuscode="403" cached="0" profile="REF_HttProContaLanclNetwo (MOBILE_DEVICES_MITM)" filteraction="REF_HttCffMobiles (MOBILES)" size="3131" request="0xe26ce800" url="aax-us-east.amazon-adsystem.com/" referer="" error="" authtime="0" dnstime="0" cattime="49342" avscantime="0" fullreqtime="338449" device="0" auth="0" ua="" exceptions="" overridecategory="1" country="United States" reason="category" category="154,154" reputation="unverified" categoryname="Web Ads,Web Ads"


explanation ?
Unfiltered HTML