Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More

Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More

Services
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Security
Unlock the full power of Microsoft Security
Offensive Security
Solutions to maximize your security ROI
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
Loading...
Loading...

HOWTO: How do I read the WebMarshal WMNodeEngine log?

Expand / Collapse


This article applies to:

  • WebMarshal 6.X and 7.X

Question:

  • How do I read the WebMarshal WMNodeEngine log?

Information:

This article provides an overview of how to read the WebMarshal WMNodeEngine log file. By default it is found in the Logging folder within the WebMarshal directory (for locations, see Related Articles below). The logs contain detailed information about the ongoing operation of the WebMarshal Node Engine service - familiarity with these logs is key to achieving a quick and successful understanding of WebMarshal issues.

Each WebMarshal service generates a text log file which is created on at least a daily basis. If the log reaches 32mb a new file is created.

Use Word Wrap wisely in Notepad.
Typically we view WebMarshal's logs in Notepad. Sometimes it is important to clearly see the columns in the log - if so turn off Word Wrap. Each service log will have three columns - the columns are Thread Number, Time, and Logged Data. At other times, it is more important to see all the Logged Data on-screen - in this case turn on Word Wrap. Also use Notepad in full screen mode.

Use a Grep tool to parse information from logs
Given that logs may be appear cryptic due to the multithreaded operation of WebMarshal, some users find it extremely helpful to use a grep tool to assist viewing of relevant information in the logs. Examples of such a tool are PowerGREP from JGS or UltraEdit (see the Related Links below).

Below is a WMNodeEngine log when Normal logging has been enabled. The log is broken up into its significant sections and with an explanation of the function of that section.

WMNodeEngine Log

2008-10-08 14:49:41.472 2276 Windows Vista Professional Service Pack 1
2008-10-08 14:49:41.472 2276 Local Fixed Disks:
2008-10-08 14:49:41.472 2276   C:\ - 10478Mb / 24573Mb
2008-10-08 14:49:41.472 2276 Physical Memory Free: 577Mb / 1022Mb
2008-10-08 14:49:41.472 2276 Executable: C:\Program Files\Marshal\WebMarshal\WMEngine.exe
2008-10-08 14:49:41.472 2276 Log Level set to Normal
2008-10-08 14:49:41.472 2276 >> Information - Service Startup : WebMarshal Node Engine (6.1.5.4234) starting...
2008-10-08 14:49:41.519 2276 Loading policy revision 6.1.5.4234, 2008-10-08 01:49:40Z.
2008-10-08 14:49:41.519 2276   Policy is enabled.
2008-10-08 14:49:41.894 2276 Parsing protocols...
2008-10-08 14:49:41.894 2276 Parsing successful.
2008-10-08 14:49:41.894 2276 Log Level set to Debug
2008-10-08 14:49:41.894 2276 WELF Traffic Logging enabled: C:\Program Files\Marshal\WebMarshal\TrafficLogs
2008-10-08 14:49:41.894 2276    Traffic logging purge disabled.
2008-10-08 14:49:41.894 2276 TextCensor file types: TEXT, HTML, JS, RTF
2008-10-08 14:49:41.894 2276 1 processor(s) detected.
2008-10-08 14:49:41.894 2276 Virus scanners will scan unpacked files and inside archives.
2008-10-08 14:49:41.894 2276 Malware scanner  Debug: Preparing to initialise scanner
2008-10-08 14:49:41.894 2276 Malware scanner  Debug: Locating DAT file root path
2008-10-08 14:49:41.894 2276 Malware scanner  Info: Latest DAT file version is 5372
2008-10-08 14:49:51.476 2276 Successfully initialized instance 1 of scanner MSMcAfee.dll. Engine version: 5200.2160
2008-10-08 14:49:51.476 2276 Malware scanner  Debug: Preparing to initialise scanner
2008-10-08 14:49:51.476 2276 Malware scanner  Debug: Locating DAT file root path
2008-10-08 14:49:51.476 2276 Malware scanner  Info: Latest DAT file version is 5372
2008-10-08 14:49:51.476 2276 Successfully initialized instance 2 of scanner MSMcAfee.dll. Engine version: 5200.2160
2008-10-08 14:49:51.476 2276 Writing EICAR test virus into the temporary directory.
2008-10-08 14:49:51.476 2276 Reading EICAR test virus from the temporary directory.
2008-10-08 14:49:51.492 2276 No resident scanner detected.
2008-10-08 14:49:51.492 2276 >> Information - Service Startup : WebMarshal Node Engine (6.1.5.4234) successfully started.
2008-10-08 14:49:52.664 3828 New Policy Available
2008-10-08 14:49:52.680 2276 Loading policy revision 6.1.5.4234, 2008-10-08 01:49:44Z.
2008-10-08 14:49:52.680 2276   Policy is enabled.
2008-10-08 14:49:52.680 2276   Parsing UserGroup: Anonymous Users.
2008-10-08 14:49:52.680 2276   Parsing UserGroup: Power Users.
2008-10-08 14:49:52.680 2276   Parsing UserGroup: Restricted Users.
2008-10-08 14:49:52.680 2276   Parsing UserGroup: Standard Users.
2008-10-08 14:49:52.680 2276   Parsing UserGroup: Unrestricted Site Access.
2008-10-08 14:49:52.680 2276   Parsing UserGroup: auckland\Domain Users.
2008-10-08 14:49:52.680 2276   Parsing UserGroup: dths.
2008-10-08 14:49:52.680 2276   Parsing UserGroup: IP.
2008-10-08 14:49:52.680 2276   Parsing UserGroup: CN=disabledgroup,OU=Disabled accounts,DC=qa,DC=test.
2008-10-08 14:49:52.680 2276   Parsing Category: Adult & Nudity.
2008-10-08 14:49:52.680 2276   Parsing Category: Advertising.
2008-10-08 14:49:52.680 2276   Parsing Category: Anonymizers & Remote Access.
2008-10-08 14:49:52.680 2276   Parsing Category: Banking & Investment.

  • In the section of the log above thread 2276 shows the WebMarshal Node Engine is starting and the logging level of the WMNodeEngine log has been set to Normal.
  • The log displays that WELF traffic logging has been enabled.
  • The log shows the WebMarshal Node Engine has successfully started.
  • McAfee for Marshal is initialized.
  • Thread 3828 has detected there is a new policy available. It is then loaded and enabled.
  • All of them are not shown in the example above however all the UserGroups, Categories, Classifications, Rules, Protocols are parsed.
  • The rules are shown if they are enabled or disabled. Within the rules in the log it displays the conditions of the rule and the actions.

Below is a WMNodeEngine log when Debug logging has been enabled. The log is broken up into its significant sections and with an explanation of the function of that section.

2008-10-08 14:50:43.503 444 Log Level set to Debug
2008-10-08 14:50:43.503 444 WELF Traffic Logging enabled: C:\Program Files\Marshal\WebMarshal\TrafficLogs
2008-10-08 14:50:43.503 444 Traffic logging purge disabled.
2008-10-08 14:50:43.503 444 TextCensor file types: TEXT, HTML, JS, RTF
2008-10-08 14:50:43.503 444 1 processor(s) detected.
2008-10-08 14:50:43.503 444 Virus scanners will scan unpacked files and inside archives.
2008-10-08 14:50:43.503 444 Malware scanner  Debug: Preparing to initialise scanner
2008-10-08 14:50:43.503 444 Malware scanner  Debug: Locating DAT file root path
2008-10-08 14:50:43.518 444 Malware scanner  Info: Latest DAT file version is 5372
2008-10-08 14:50:51.909 444 Successfully initialized instance 1 of scanner MSMcAfee.dll. Engine version: 5200.2160
2008-10-08 14:50:51.909 444 Malware scanner  Debug: Preparing to initialise scanner
2008-10-08 14:50:51.909 444 Malware scanner  Debug: Locating DAT file root path
2008-10-08 14:50:51.909 444 Malware scanner  Info: Latest DAT file version is 5372
2008-10-08 14:50:51.909 444 Successfully initialized instance 2 of scanner MSMcAfee.dll. Engine version: 5200.2160
2008-10-08 14:50:51.909 444 Writing EICAR test virus into the temporary directory.
2008-10-08 14:50:51.909 444 Reading EICAR test virus from the temporary directory.
2008-10-08 14:50:51.925 444 No resident scanner detected.
2008-10-08 14:50:51.925 444 >> Information - Service Startup : WebMarshal Node Engine (6.1.5.4234) successfully started.
2008-10-08 14:52:06.928 2816 Processing a download request for request {68952DBE-EA50-4219-A4C4-F13EFC7D5585}
2008-10-08 14:52:06.928 2816 Creating session for 'dwb-v32-n' on 'dwb-v32-n' at 10/08/08 14:52:06, ( 0 quota rules, 1 standard rules, 0 content rules )
2008-10-08 14:52:06.928 2816   First request: http://www.google.com/
2008-10-08 14:52:06.928 2816 FileType: Type=HTML,  Size=221,  Name=WM_15206.TMP
2008-10-08 14:52:06.928 2816 File Information: Type=HTML,  Size= ,  Name=C:\Program
Files\Marshal\WebMarshal\Temp\Proxy\WM_15206.TMP
2008-10-08 14:52:09.038 2816 Processing a download request for request {CF3856FA-C89C-4CE6-A02E-A03DEB90C9E8}
2008-10-08 14:52:09.038 2816 FileType: Type=HTML,  Size=6412,  Name=WM_32275.TMP
2008-10-08 14:52:09.038 2816 File Information: Type=HTML,  Size= ,  Name=C:\Program
Files\Marshal\WebMarshal\Temp\Proxy\WM_32275.TMP
2008-10-08 14:52:09.882 2816 Processing a download request for request {A9179C60-532F-4E68-AD4B-AC194CFCC3FD}
2008-10-08 14:52:09.882 2816 FileType: Type=PNG,  Size=7582,  Name=WM_26527_logo_plain.png
2008-10-08 14:52:09.882 2816 File Information: Type=PNG,  Size= ,  Name=C:\Program
Files\Marshal\WebMarshal\Temp\Proxy\WM_26527_logo_plain.png
2008-10-08 14:52:10.413 2816 Processing a download request for request {E6507DE5-A0E6-43F4-B638-13855C1698A3}
2008-10-08 14:52:10.413 2816 FileType: Type=ICO,  Size=1150,  Name=WM_26688_favicon.ico
2008-10-08 14:52:10.413 2816 File Information: Type=ICO,  Size= ,  Name=C:\Program
Files\Marshal\WebMarshal\Temp\Proxy\WM_26688_favicon.ico
2008-10-08 14:52:10.632 2816 Processing a download request for request {56FFE861-25EE-43A1-90A0-55002069DB36}
2008-10-08 14:52:10.632 2816 FileType: Type=PNG,  Size=6336,  Name=WM_12786_nav_logo3.png
2008-10-08 14:52:10.632 2816 File Information: Type=PNG,  Size= ,  Name=C:\Program
Files\Marshal\WebMarshal\Temp\Proxy\WM_12786_nav_logo3.png
2008-10-08 14:54:37.278 2348 Processing a download request for request {F1C3FF78-04C9-48C1-9AB6-FC7127A917CE}
2008-10-08 14:54:37.278 2348 FileType: Type=HTML,  Size=399,  Name=WM_14597.TMP
2008-10-08 14:54:37.278 2348 File Information: Type=HTML,  Size= ,  Name=C:\Program
Files\Marshal\WebMarshal\Temp\Proxy\WM_14597.TMP
2008-10-08 14:54:38.231 2348 Processing a secure request for request {3911F6ED-05B5-4689-9856-3E2C339212E7}
2008-10-08 14:54:39.450 2348 Processing a secure request for request {41ECF583-E793-4D70-B40E-A27240D0FC41}
2008-10-08 14:54:41.856 2348 Processing a download request for request {9D00527E-555E-4E04-B633-49D81915A22C}
2008-10-08 14:54:41.856 2348 FileType: Type=HTML,  Size=399,  Name=WM_6611.TMP
2008-10-08 14:54:41.856 2348 File Information: Type=HTML,  Size= ,  Name=C:\Program
Files\Marshal\WebMarshal\Temp\Proxy\WM_6611.TMP
2008-10-08 14:54:42.825 2348 Processing a secure request for request {CE21E5AA-E5D6-4CE2-B078-8B20FADEE296}
2008-10-08 14:54:42.934 2348 Processing a secure request for request {32FF8959-E439-4CA3-8B92-A7445F5AC9A6}
2008-10-08 14:54:43.466 2348 Processing a secure request for request {37B0C52A-8AF7-4E98-842B-358D3AF52AA5}
2008-10-08 14:54:46.981 2348 Processing a download request for request {0F700C06-5958-4487-9F12-28533AD97144}
2008-10-08 14:54:46.981 2348 FileType: Type=HTML,  Size=17112,  Name=WM_3820_ServiceLogin
2008-10-08 14:54:46.997 2348 File Information: Type=HTML,  Size= , Name=C:\ProgramFiles\Marshal\WebMarshal\Temp\Proxy\WM_3820_ServiceLogin
2008-10-08 14:54:48.075 2348 Processing a secure request for request {5A638F4F-B7A5-493C-886C-210DA042BCB4}
2008-10-08 14:54:49.232 2348 Processing a secure request for request {EA9A0E58-18F8-4373-8742-A0C507B66D46}
2008-10-08 14:54:50.091 2348 Processing a secure request for request {D45F308D-AC12-42F3-8CE7-C609347BEFA4}
2008-10-08 14:54:50.185 2348 Processing a secure request for request {505CA312-BF8B-481A-8C8A-A9BF3A6629A2}
2008-10-08 14:54:50.997 2348 Processing a secure request for request {C8BFD1D7-BB84-4E57-A1FC-18B1A8B53EE2}
2008-10-08 14:54:51.607 2348 Processing a secure request for request {6AFC7D45-6EDA-4904-978A-62B3D5043920}

  • Thread 2816 displays that a download request has been made.
  • The request ID (GUID)is displayed for each request.
  • A GUID allows an administrator to track the request from the WMProxy log to the WMFilter to the WMEngine log to the WMController log (This is used to help administrators diagnose any issues their users might be experiencing).
  • Each request represents every seperate file that is used to make up a single webpage (This means there could be hundreds per page).
  • A request displays the name of the file being requested, its type e.g. PNG and its size, the location of the file in the temporary directory used by WebMarshal.
For information on how to read the WMProxy log please see the article below:
  • Q12171 : How do I read the WebMarshal WMProxy log?

To contact Trustwave about this article or to request support:


Rate this Article:
     

Related Articles



Related Links



Add Your Comments


Comment submission is disabled for anonymous users.
Please send feedback to Trustwave Technical Support or the Webmaster
.