What configuration is required to analyze log files from a St. Bernard iPrism network appliance?


This article applies to:

  • WebTrends Firewall Suite 4.X
  • Security Reporting Center 2.X

Question:

What configuration is required to analyze log files from a St. Bernard iPrism network appliance?

Procedure:

For iPrism data to be analysed by Firewall Suite or Security Reporting Center, the log file record data must be in WELF (WebTrends Enhanced Log Format) format. Complete the following steps on the St. Bernard iPrism device:

  1. Log into the iPrism interface as the administrator.
  2. Click the Reports button and go to the Preferences tab.
  3. Enter the IP address of the WebTrends machine in the Syslog Host field (this only needs to be set if you are transferring the log files via Syslog). 
  4. Select the WELF Export checkbox.
  5. Exit and save the settings.


When the log file is produced it should look similar to this:

id=firewall time="2003-07-01 06:30:09" fw=192.168.1.1 pri=6 proto=http src=192.168.1.1 dst=10.1.1.1 dstname=domain.com arg=/transparent.gif op=GET result 0 sent=546
id=firewall time="2003-07-01 06:30:09" fw=192.168.1.1 pri=6 proto=http src=192.168.1.1 dst=10.1.1.1 dstname=domain.com arg=/images/curve1.gif op=GET result=304 sent=897
id=firewall time="2003-07-01 06:30:09" fw=192.168.1.1 pri=6 proto=http src=192.168.1.1 dst=10.1.1.1 dstname=domain.com arg=/home.asp op=GET result=304 rcvd–8
id=firewall time="2003-07-01 06:30:09" fw=192.168.1.1 pri=6 proto=http src=192.168.1.1 dst=10.1.1.1 dstname=domain.com arg=/intro/default.asp op=GET result 0 rcvd=901

If you are using the WebTrends Syslog to retreive the data, it should look similar to this:

WTsyslog[2003-07-01 06:30:09 ip=192.168.1.1 pri=6] id=firewall time="2003-07-01 06:30:09" fw=192.168.1.1 pri=6 proto=http src=192.168.1.1 dst=10.1.1.1 dstname=domain.com arg=/transparent.gif op=GET result 0 sent=546
WTsyslog[2003-07-01 06:30:09 ip=192.168.1.1 pri=6] id=firewall time="2003-07-01 06:30:09" fw=192.168.1.1 pri=6 proto=http src=192.168.1.1 dst=10.1.1.1 dstname=domain.com arg=/images/curve1.gif op=GET result=304 sent=897
WTsyslog[2003-07-01 06:30:09 ip=192.168.1.1 pri=6] id=firewall time="2003-07-01 06:30:09" fw=192.168.1.1 pri=6 proto=http src=192.168.1.1 dst=10.1.1.1 dstname=domain.com arg=/home.asp op=GET result=304 rcvd–8
WTsyslog[2003-07-01 06:30:09 ip=192.168.1.1 pri=6] id=firewall time="2003-07-01 06:30:09" fw=192.168.1.1 pri=6 proto=http src=192.168.1.1 dst=10.1.1.1 dstname=domain.com arg=/intro/default.asp op=GET result 0 rcvd=901

This article was previously published as:
NETIQKB17251

Last Modified 4/10/2006.
https://support.trustwave.com/kb/KnowledgebaseArticle10298.aspx