Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More

Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More

Services
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Security
Unlock the full power of Microsoft Security
Offensive Security
Solutions to maximize your security ROI
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
Loading...
Loading...

INFO: What data does WebMarshal log in WELF traffic logs?

Expand / Collapse


This article applies to:

  • WebMarshal 6.10 and above
  • Traffic logging in WELF format

Question:

  • What data does WebMarshal log in WELF logs?
  • What are the definitions of custom fields in WebMarshal WELF logs?

Information:

WebMarshal version 6.10 and above can log "Traffic logging" data in WELF format. Many of the fields are standard WELF fields. WebMarshal also includes additional fields to provide information about WebMarshal behaviors and results.

The fields are defined as follows. The first four fields are always present at the beginning of the record. Other fields are optional. If present they may appear in any order.

id
Identifies the source of the record. The value is WebMarshal
time
Local date and time of the activity
fw
Server name of the WebMarshal processing node
pri
Identifies the priority of the record. The value is always 6 (information)
user
Authenticated user name (or computer name/IP address) of the client
src
IP address of the client
srcname
Computer name of the client
dst
IPv4 or IPv6 address resolved and used for the remote site requested. This could be a website, or upstream proxy. (Added at 7.3.2.)
  • Note: If the request is blocked based on the URL before a connection is attempted, this value is blank. Results from the policy tester return "0.0.0.0"
dstname
Server name of the remote site requested
contenttype
MIME content type of the upload or download
proto
Port on the remote site
requestid
Request ID
scode
HTTP status code
arg
Path part of the request
sent
Size of the upload content in bytes (Added at 7.2.0.)
rcvd
Size of the download content in bytes
cat_site
URL category associated with a block action
  • Note: This field is only populated for block actions.
catlevel_site
Set to 1 for URL category based blocks. Other values are reserved for future use.
cat_action
Rule evaluation result (pass or block)
rule
WebMarshal rule that blocked the request
  • Note: This field is only populated for block actions.
agent
User agent string reported by the client
ref
Referring URL as reported in the request
op
HTTP method (such as GET or POST)
filetype
File type as determined by WebMarshal
appProto
Protocol as determined by WebMarshal for application control rules (such as "Google Video/YouTube")
  • Note: This is not the Internet protocol of the request. The Internet protocol is reported in the field "scheme".
tncat
Malicious or unwanted content category determined by the WebMarshal TraceNet service. Possible values for this field are:
  • Spam Sites: Sites promoted by spam or botnet campaigns, or offering questionable products or services
  • Phishing Sites: Fraudulent sitest or scams attempting to gain psersonal information by impersonating a trusted website
  • Anonymous Proxies: Sites that enable users to bypass security and acceptable use policy
  • Malicious Sites: Sites hosting malware, blended threats or browser vulnerability exploits
scheme
Protocol of the request (HTTP, HTTPS, or FTP)
wmcache
Result of querying the WebMarshal cache for the file. Possible values for this field are:
  • HIT: indicates that the item was served from cache without checking the origin server
  • MISS: indicates that the item was not in cache and had to be retrieved from the origin server
  • REFRESH_HIT: indicates that the cache item required revalidation, and that revalidation was successful
  • REFRESH_MISS: indicates that the cache item required revalidation, and that the origin server sent back new data
dclass
WebMarshal domain classification assigned to the request (by rule action). If WebMarshal records multiple classifications, they are included as a comma separated list within double quotes.
fclass
WebMarshal file classification assigned to the request (by rule action). If WebMarshal records multiple classifications, they are included as a comma separated list within double quotes.

To contact Trustwave about this article or to request support:


Rate this Article:
     

Related Articles



Add Your Comments


Comment submission is disabled for anonymous users.
Please send feedback to Trustwave Technical Support or the Webmaster
.