Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 6 replies
  • Subscribers 1 subscriber
  • Views 1104 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

[Logging Exceptions]Need a little help

FrankBarmentlo
Hey all,

My ISP allows me to watch TV via the browser,
it all works pretty good, but it fills the logs rather quickly with unnecessary "noise",

I wanted to make an exception for it(both access and blocked logging),
It are mostly IP-addresses, and I haven't been able to make an exception for those, I got the domains by now.

I couldn't find any ranges within those IP's

Kind regards,
Frank


This thread was automatically locked due to age.
  • 0
    Hi, 

    Please post some samples from the FULL (not live) logs.

    Barry
  • 0
    Sorry, had them already ready to insert, but totally forgot to do so.


    2014:07:02-10:47:55 UTM-Frank httpproxy[5357]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168." dstip="213.75.170.15" user="" statuscode="200" cached="0" profile="REF_HttProContaInterNetwo (Frank)" filteraction="REF_HttCffAllow (Frank)" size="31703" request="0x19902220" url="213.75.170.15/.../mp4" application="http"
    2014:07:02-10:47:55 UTM-Frank httpproxy[5357]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168." dstip="213.75.170.15" user="" statuscode="200" cached="0" profile="REF_HttProContaInterNetwo (Frank)" filteraction="REF_HttCffAllow (Frank)" size="303575" request="0x97b7100" url="213.75.170.15/.../mp4" application="http"
    2014:07:02-10:47:56 UTM-Frank httpproxy[5357]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168." dstip="213.75.170.15" user="" statuscode="200" cached="0" profile="REF_HttProContaInterNetwo (Frank)" filteraction="REF_HttCffAllow (Frank)" size="2517" request="0x97b7100" url="213.75.170.15/.../mp4" application="http"
    2014:07:02-10:47:57 UTM-Frank httpproxy[5357]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168." dstip="213.75.170.15" user="" statuscode="200" cached="0" profile="REF_HttProContaInterNetwo (Frank)" filteraction="REF_HttCffAllow (Frank)" size="941" request="0x97b7100" url="213.75.170.15/.../mp4" application="http"
    2014:07:02-10:47:57 UTM-Frank httpproxy[5357]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168." dstip="213.75.170.15" user="" statuscode="200" cached="0" profile="REF_HttProContaInterNetwo (Frank)" filteraction="REF_HttCffAllow (Frank)" size="31519" request="0x19902220" url="213.75.170.15/.../mp4" application="http"
    2014:07:02-10:47:57 UTM-Frank httpproxy[5357]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168." dstip="213.75.170.15" user="" statuscode="200" cached="0" profile="REF_HttProContaInterNetwo (Frank)" filteraction="REF_HttCffAllow (Frank)" size="409231" request="0x97b7100" url="213.75.170.15/.../mp4" application="http"
    2014:07:02-10:47:58 UTM-Frank httpproxy[5357]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168." dstip="213.75.170.15" user="" statuscode="200" cached="0" profile="REF_HttProContaInterNetwo (Frank)" filteraction="REF_HttCffAllow (Frank)" size="2589" request="0x97b7100" url="213.75.170.15/.../mp4" application="http"


    These are just entries for 1 IP, what I could find today,
    but I've also seen the following IP's last week:
    213.75.170.12
    213.75.170.14
    213.75.170.15
    213.75.170.42
    213.75.170.44
    213.75.170.45
    213.75.66.202
    213.75.85.14
    213.75.85.15
  • 0
    Try creating an exception that "matches these domains"
    ^http://\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/session

    This will do any IP address with a path starting /session

    You can make it more specific if your logs shows that it is consistent.

    Then in the exception, skip logging.
  • 0
    yep, that does the trick..
    but how can I change it to match only "213.75.*.*/session/"?

    edit:
    ^http://[213]{1,3}\.[75]{1,3}\.\d{1,3}\.\d{1,3} should work, right?
  • 0
    yep, works! thanks for your assistance