Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 5 replies
  • Subscribers 5 subscribers
  • Views 14829 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Syslog Fields

MichaelAllison

Hi All,

I'm currently trying to process the Sophos UTM Syslogs into a SQL table so that we have a quick and easy way to see who viewed what, and when.

I've noticed that the Username is only logged when the ID is 0001, when the ID is 0003 I get no username or destination IP logged.

My question is, does anyone have a list of what these IDs mean? I can't see any examples from a search I've done.

EG:

0001:

Mar 26 03:00:21[Hostname] 2017:03:26-03:41:24 [Hostname] httpproxy[5997]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="[SIP]" dstip="[DIP]" user="[USERNAME]" group="[AD GROUP]" ad_domain="[DOMAIN]" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_ACC_GBL_e4e53128d9dc4c95abbd39f69146f21af21a (Allow - All sites except global blacklist)" size="3647" request="0x446f6c00" url="4954781729.log.optimizely.com/" referer="" error="" authtime="60" dnstime="5" cattime="152" avscantime="0" fullreqtime="5048327" device="0" auth="2" ua="Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36" exceptions="" category="178" reputation="neutral" categoryname="Internet Services"

0003:

Mar 26 03:00:21 [Hostname] 2017:03:26-03:41:24 [Hostname] httpproxy[5997]: id="0003" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="[SIP]" dstip="" user="" group="" ad_domain="" statuscode="407" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction=" ()" size="2509" request="0x189e3600" url="secure-ds.serving-sys.com/" referer="" error="" authtime="2" dnstime="0" cattime="0" avscantime="0" fullreqtime="436" device="0" auth="2" ua="Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36" exceptions=""



This thread was automatically locked due to age.
Parents
  • +1

    Hi Michael, 

    In such log lines the Status code information should be observed which will provide precise information about the issue. 

    There is a list of IDs and reasons associated with it. Here, I will just provide the information about the two mentioned IDs, i.e., 0001 & 0003

    1. 0001 - Web Request Delivered to SenderDescription: This log is being generated when a web request was successfully delivered.
    2. 0003 - Debug/Error log entryDescription: This log is being generated when the HTTP proxy writes a debug or error log line.

    I will raise a request with our TechWriters to publish a KBA on this information only if it can be made public.

    Thanks

Reply
  • +1

    Hi Michael, 

    In such log lines the Status code information should be observed which will provide precise information about the issue. 

    There is a list of IDs and reasons associated with it. Here, I will just provide the information about the two mentioned IDs, i.e., 0001 & 0003

    1. 0001 - Web Request Delivered to SenderDescription: This log is being generated when a web request was successfully delivered.
    2. 0003 - Debug/Error log entryDescription: This log is being generated when the HTTP proxy writes a debug or error log line.

    I will raise a request with our TechWriters to publish a KBA on this information only if it can be made public.

    Thanks

Children