This article applies to:
- WebMarshal 6.10 and above
- Traffic logging in WELF format
Question:
- What data does WebMarshal log in WELF logs?
- What are the definitions of custom fields in WebMarshal WELF logs?
Information:
WebMarshal version 6.10 and above can log "Traffic logging" data in WELF format. Many of the fields are standard WELF fields. WebMarshal also includes additional fields to provide information about WebMarshal behaviors and results.
The fields are defined as follows. The first four fields are always present at the beginning of the record. Other fields are optional. If present they may appear in any order.
- id
- Identifies the source of the record. The value is WebMarshal
- time
- Local date and time of the activity
- fw
- Server name of the WebMarshal processing node
- pri
- Identifies the priority of the record. The value is always 6 (information)
- user
- Authenticated user name (or computer name/IP address) of the client
- src
- IP address of the client
- srcname
- Computer name of the client
- dst
- IPv4 or IPv6 address resolved and used for the remote site requested. This could be a website, or upstream proxy. (Added at 7.3.2.)
- Note: If the request is blocked based on the URL before a connection is attempted, this value is blank. Results from the policy tester return "0.0.0.0"
- dstname
- Server name of the remote site requested
- contenttype
- MIME content type of the upload or download
- proto
- Port on the remote site
- requestid
- Request ID
- scode
- HTTP status code
- arg
- Path part of the request
- sent
- Size of the upload content in bytes (Added at 7.2.0.)
- rcvd
- Size of the download content in bytes
- cat_site
- URL category associated with a block action
- Note: This field is only populated for block actions.
- catlevel_site
- Set to 1 for URL category based blocks. Other values are reserved for future use.
- cat_action
- Rule evaluation result (pass or block)
- rule
- WebMarshal rule that blocked the request
- Note: This field is only populated for block actions.
- agent
- User agent string reported by the client
- ref
- Referring URL as reported in the request
- op
- HTTP method (such as GET or POST)
- filetype
- File type as determined by WebMarshal
- appProto
- Protocol as determined by WebMarshal for application control rules (such as "Google Video/YouTube")
- Note: This is not the Internet protocol of the request. The Internet protocol is reported in the field "scheme".
- tncat
- Malicious or unwanted content category determined by the WebMarshal TraceNet service. Possible values for this field are:
- Spam Sites: Sites promoted by spam or botnet campaigns, or offering questionable products or services
- Phishing Sites: Fraudulent sitest or scams attempting to gain psersonal information by impersonating a trusted website
- Anonymous Proxies: Sites that enable users to bypass security and acceptable use policy
- Malicious Sites: Sites hosting malware, blended threats or browser vulnerability exploits
- scheme
- Protocol of the request (HTTP, HTTPS, or FTP)
- wmcache
- Result of querying the WebMarshal cache for the file. Possible values for this field are:
- HIT: indicates that the item was served from cache without checking the origin server
- MISS: indicates that the item was not in cache and had to be retrieved from the origin server
- REFRESH_HIT: indicates that the cache item required revalidation, and that revalidation was successful
- REFRESH_MISS: indicates that the cache item required revalidation, and that the origin server sent back new data
- dclass
- WebMarshal domain classification assigned to the request (by rule action). If WebMarshal records multiple classifications, they are included as a comma separated list within double quotes.
- fclass
- WebMarshal file classification assigned to the request (by rule action). If WebMarshal records multiple classifications, they are included as a comma separated list within double quotes.