Hi All,
I'm currently trying to process the Sophos UTM Syslogs into a SQL table so that we have a quick and easy way to see who viewed what, and when.
I've noticed that the Username is only logged when the ID is 0001, when the ID is 0003 I get no username or destination IP logged.
My question is, does anyone have a list of what these IDs mean? I can't see any examples from a search I've done.
EG:
0001:
Mar 26 03:00:21[Hostname] 2017:03:26-03:41:24 [Hostname] httpproxy[5997]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="[SIP]" dstip="[DIP]" user="[USERNAME]" group="[AD GROUP]" ad_domain="[DOMAIN]" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_ACC_GBL_e4e53128d9dc4c95abbd39f69146f21af21a (Allow - All sites except global blacklist)" size="3647" request="0x446f6c00" url="4954781729.log.optimizely.com/" referer="" error="" authtime="60" dnstime="5" cattime="152" avscantime="0" fullreqtime="5048327" device="0" auth="2" ua="Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36" exceptions="" category="178" reputation="neutral" categoryname="Internet Services"
0003:
Mar 26 03:00:21 [Hostname] 2017:03:26-03:41:24 [Hostname] httpproxy[5997]: id="0003" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="[SIP]" dstip="" user="" group="" ad_domain="" statuscode="407" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction=" ()" size="2509" request="0x189e3600" url="secure-ds.serving-sys.com/" referer="" error="" authtime="2" dnstime="0" cattime="0" avscantime="0" fullreqtime="436" device="0" auth="2" ua="Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36" exceptions=""
This thread was automatically locked due to age.
