What W3C format can Security Reporting Center analyze?


This article applies to:

  • Security Reporting Center 2.x

Question:

What W3C format can Security Reporting Center analyze?

Symptoms:

  • Unable to analyze W3C log files.
  • Unable to analyze Blue Coat log files.

Causes:

The W3C Extended log file format specifies the fields for log file data, but does not specify the number or order of those fields to provide more flexibility.  In addition, the field names may vary slightly.

Field names are defined in the #Fields directive at the top of the log file. Field names can take one of three forms:

  • identifier
    Example: method

  • prefix-identifier
    Example: cs-method

  • prefix(header)
    Example: cs(User-Agent)

In the third form, "header" refers to an HTTP header, one of the fields sent in an HTTP request.


Identifiers

The following identifiers do not require a prefix.

  • date - Date at which transaction completed, field has type <date>
  • time - Time at which transaction completed, field has type <time>
  • time-taken - Time taken for transaction to complete in seconds, field has type <fixed>
  • bytes - bytes transferred, field has type <integer>
  • cached - Records whether a cache hit occurred, field has type <integer>.  0 indicates a cache miss.


The following identifiers require a prefix.

  • ip - IP address and port, field has type <address>
  • dns - DNS name, field has type <name>
  • status - Status code, field has type <integer>
  • comment - Comment returned with status code, field has type <text>
  • method - Method, field has type <name>
  • uri - URI, field has type <uri>
  • uri-stem - Stem portion alone of URI (omitting query), field has type <uri>
  • uri-query - Query portion alone of URI, field has type <uri>


Prefixes

  • c - Client
  • s - Server
  • r - Remote
  • cs - Client to Server
  • sc - Server to Client
  • sr - Server to Remote Server, this prefix is used by proxies
  • rs - Remote Server to Server, this prefix is used by proxies
  • x - Application specific identifier


Common HTTP Headers

  • User-Agent
  • Cookie
  • Referer

Information:

The following W3C fields are supported by Security Reporting Center:

date
time
c-ip
cs-username
s-ip
cs-method
cs-uri-stem
sc-status
cs-uri-query
sc-bytes
cs-bytes
cs(User-Agent)
cs(Cookie)
cs(Referer)
cs-host
s-action
sc-filter-category
sc-filter-result
s-computername
bytes
c-auth-id
cs-uri
x-username
x-smartfilter-categories
x-smartfilter-result
x-localtime

This article was previously published as:
NETIQKB35522

Last Modified 3/8/2006.
https://support.trustwave.com/kb/KnowledgebaseArticle10926.aspx