Documentation | Support

Go to the table of contents Go to the previous page You are at the end of the document View or print as PDF
Using TestLogServer for Troubleshooting : Understanding TestLogServer output
Understanding TestLogServer output
Using TestLogServer | Web Protection Solutions | v8.4.x, v8.5.x | 29-Apr-2022
When you run TestLogServer, the output includes the following information, if available.
 
Field             
Description
Log Source
The component that sent the Internet request to Filtering Service
Client Hostname
Hostname of the machine from which the request originated, if available. If a hostname is not available, the client IP address is displayed.
SourceIP
IP address from which the request originated
This can be used to verify that Filtering Service is seeing traffic from specific machines.
DestinationIP
IP address of the requested (target) URL
Incorrect or missing data can indicate DNS issues, which prevent proper filtering.
server
IP address of the Filtering Service machine
time
Exact time that the request was generated, as provided by the Filtering Service machine
version
Version of the log record being processed (internal use only)
disposition
Action applied to the request by Filtering Service. For example, category blocked, permitted by exception, continue user blocked, and so on.
URL
The requested (target) URL
protocol
The protocol (for example, HTTP, FTP) associated with the request. In the case of non-HTTP protocols, this value can indicate whether or not Filtering Service is classifying protocols correctly.
port
The port number the connection attempted to use
networkDirection
The direction of the network request (inbound or outbound)
method
The HTTP method (get or post)
contentType
Type of content specified in the record header
category
Forcepoint URL Database or custom category assigned to the requested URL
categoryReason
Reason the URL was categorized as it was (for example, defined in the Forcepoint URL Database, recategorized by content scanning, recategorized by custom URL, and so on)
bytes sent
Number of bytes sent
bytes received
Number of bytes received
file name
Name of the file, if any, retrieved from the URL
True File Type
The file type associated with the file, as confirmed by Content Gateway file type analysis (Forcepoint Web Security)
roleId
The number assigned to the delegated administration role that assigned the policy applied to this request. The Super Administrator role ID number is 8.
user
The name of the user making the request, if user identification or authentication is enabled and applied to the client IP address
duration
Time, in milliseconds, it took to look up the site
scan duration
Time, in milliseconds, it took Content Gateway to analyze the site (Forcepoint Web Securityonly)
policyName
Name of the policy applied to the request
keyword
The keyword, if any, used to recategorize and block a request
If you have enabled SIEM integration in the Security Manager, an additional SIEM Results section appears in the TestLogServer output. The SIEM Results section includes the following information. Note that information provided by Content Gateway is available only with Forcepoint Web Security.
 
Field             
Description
protocol version
Current version of the protocol used to send data to the SIEM integration
server status code
HTTP status code sent from the origin server to Content Gateway
proxy status code
HTTP status code sent from the Content Gateway proxy to the client machine
client source port
Client ephemeral TCP source port
client destination port
Client TCP destination port
proxy source
IP address of the Content Gateway outbound interface
proxy source port
Outbound ephemeral TCP port used by Content Gateway
user agent
User agent string sent by the client browser or application.
X-Forwarded-For
IP address of the client which sent the request. The request was sent through a client proxy, load balancer, or similar device.
If the request was to a cloud application, an additional Cloud App Results section appears in the output. The Cloud App Results section includes the following information.
 
Field             
Description
app id
Internal ID assigned to the cloud application.
app name
Name of the requested cloud application.
app risk level
Risk level (high, medium, or low) assigned to the cloud application.
app category id
Internal ID assigned to the type of cloud application.
app category name
Name of the cloud application type.
The output for each request looks something like this:
Log Source= Integration
Client Hostname= 192.168.3.50
SourceIp= 10.201.136.35
DestinationIp= 74.125.128.104
server= 10.201.136.130
time= Tue Jul 18 11:41:33 2017
version= 6
disposition= 1026 - Category Not Blocked
URL= http://www.google.com/
protocol= 1 - http
port= 80
networkDirection= Inbound
method= GET
contentType = text/html;
charset=UTF-8
category= 76 - SEARCH ENGINES AND PORTALS
categoryReason= 1 - Master Database: URL
bytes sent= 647
bytes received= 24041
file name=
True File Type= 0 - None
roleId= 8
user= WinNT://QA/qauser
duration= 719 ms
scan duration= 0 ms
policyName= role-8**Default
SIEM Results
protocol version= 257
server status code= 200
proxy status code= 200
client source port=49372
client destination port= 8080
proxy source=10.201.136.130
proxy source port= 26615
user agent= Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
X-Forward For=
Cloud App Results
app id = 0
app name =
app risk level = 0
app category id = 0
app category name =
 
 
 
 
 
 
 
©2022 Forcepoint. Forcepoint and the FORCEPOINT logo are trademarks of Forcepoint. All other trademarks used in this document are the property of their respective owners.
 

Go to the table of contents Go to the previous page You are at the end of the document View or print as PDF
Using TestLogServer for Troubleshooting : Understanding TestLogServer output
Copyright 2022 Forcepoint. All rights reserved.