Technical Library
|
Support
Using TestLogServer for Web Security Troubleshooting
: Understanding TestLogServer output
Understanding TestLogServer output
Topic 50333 | TestLogServer | Web Security Solutions | Version 7.7, 7.8 | Updated 19-Sept-2013
Applies To:
Websense Web Filter, Web Security, Web Security Gateway, and Web Security Gateway Anywhere, v7.7, 7.8
When you run TestLogServer, the output includes the following information, if available.
Field
Description
Log Source
The component that sent the Internet request to Filtering Service (for example, Integration)
Client Hostname
Hostname of the machine from which the request originated, if available. If the integration does not provide a hostname, the client IP address is displayed.
SourceIP
IP address from which the request originated
This can be used to verify that Filtering Service is seeing traffic from specific machines.
DestinationIP
IP address of the requested (target) URL
Incorrect or missing data can indicate DNS issues, which prevent proper filtering.
server
IP address of the Filtering Service machine
time
Exact time that the request was generated, as provided by the Filtering Service machine
disposition
Action applied to the request by Filtering Service. For example, category blocked, permitted by exception, continue user blocked, and so on.
URL
The requested (target) URL
protocol
The protocol (for example, HTTP, FTP) associated with the request. In the case of non-HTTP filtering, this value can indicate whether or not Filtering Service is classifying protocols correctly.
port
The port number the connection attempted to use
networkDirection
The direction of the network request (inbound or outbound)
method
The HTTP method (get or post)
contentType
Type of content specified in the record header
category
Master Database or custom category assigned to the requested URL
categoryReason
Reason the URL was categorized as it was (for example, defined in the Master Database, recategorized by content scanning, recategorized by custom URL, and so on)
bytes sent
Number of bytes sent
bytes received
Number of bytes received
file name
Name of the file, if any, retrieved from the URL
True File Type
The file type associated with the file, as confirmed by Content Gateway file type scanning
roleId
The number assigned to the delegated administration role that assigned the policy applied to this request. The Super Administrator role ID number is 8.
user
The name of the user making the request, if user identification or authentication is enabled and applied to the client IP address
duration
Time, in milliseconds, it took to look up the site
scan duration
Time, in milliseconds, it took Content Gateway to analyze the site
policyName
Name of the policy applied to the request
keyword
The keyword, if any, used to recategorize and block a request
If you have installed Websense Multiplexer and enabled SIEM integration in TRITON - Web Security, an additional
SIEM Results
section appears in the TestLogServer output. The SIEM Results section includes the following information:
Field
Description
protocol version
Current version of the protocol used to send data to the SIEM integration
server status code
HTTP status code sent from the origin server to Websense Content Gateway
proxy status code
HTTP status code sent from the Content Gateway proxy to the client machine
client source port
Client ephemeral TCP source port
client destination port
Client TCP destination port
proxy source
IP address of the Content Gateway outbound interface
proxy source port
Outbound ephemeral TCP port used by Content Gateway
user agent
User agent string sent by the client browser or application.
The output for each request looks something like this:
Log Source= Integration
Client Hostname= 10.201.136.35
SourceIp= 10.201.136.35
DestinationIp= 74.125.128.104
server= 10.201.136.130
time= Mon Mar 26 11:49:35 2012
version= 6
disposition= 1026 - Category Not Blocked
URL= http://www.google.com/
protocol= 1 - http
port= 80
networkDirection= Inbound
method= GET
contentType = text/html;
charset=UTF-8
category= 76 - SEARCH ENGINES AND PORTALS
categoryReason= 1 - Master Database: URL
bytes sent= 647
bytes received= 24041
file name=
True File Type= 6 - Text
roleId= 8
user= WinNT://QA/qauser
duration= 719 ms
scan duration= 0 ms
policyName= role-8**Default
SIEM Results
protocol version= 257
server status code= 200
proxy status code= 200
client source port=49372
client destination port= 8080
proxy source=10.201.136.130
proxy source port= 26615
user agent= Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Using TestLogServer for Web Security Troubleshooting
: Understanding TestLogServer output
Copyright 2016 Forcepoint LLC. All rights reserved.