Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Configuration Files > logs_xml.config
logs_xml.config
Help | Content Gateway | Version 8.1.x
The logs_xml.config file defines the custom log file formats, filters, and processing options. The format of this file is modeled after XML, the Extensible Markup Language.
Format
The logs_xml.config file contains the following specifications:
*
LogFormat specifies the fields to be gathered from each protocol event access. See LogFormat.
*
LogFilter specifies the filters that are used to include or exclude certain entries being logged based on the value of a field within that entry. See LogFilter.
*
LogObject specifies an object that contains a particular format, a local filename, filters, and collation servers. See LogObject.
 
Note 
The logs_xml.config file ignores extra white space, blank lines, and all comments.
LogFormat
The following table lists the LogFormat specifications.
 
Required. A valid format specification is a printf-style string describing each log entry when formatted for ASCII output. Use '%<field>' as placeholders for valid field names. For more information, see Custom logging fields. The specified field can be of two types:
Use this tag when the format contains aggregate operators. The value "aggregate_interval_secs" represents the number of seconds between individual aggregate values being produced. The valid set of aggregate operators are:
*
*
LogFilter
The following table lists the LogFilter specifications.
 
valid_log_field - the field that will be compared against the given value. For more information, see Logging format cross-reference.
valid_operator_field - any one of the following: MATCH, CASE_INSENSITIVE_MATCH, CONTAIN, CASE_INSENSITIVE_CONTAIN. MATCH is true if the field and value are identical (case sensitive). CASE_INSENSITIVE_MATCH is similar to MATCH, only case insensitive. CONTAIN is true if the field contains the value (the value is a substring of the field). CASE_INSENSITIVE_CONTAIN is a case-insensitive version of CONTAIN.
valid_comparison_value - any string or integer matching the field type. For integer values, all of the operators are equivalent and mean that the field must be equal to the specified value.
Required. ACCEPT or REJECT. This instructs Content Gateway to either accept or reject records satisfying the condition of the filter.
LogObject
The following table lists the LogObject specifications.
 
If the name does not contain an extension (for example, squid), the extension .log is automatically appended to it for ASCII logs and .blog for binary logs. (See <Mode = "valid_logging_mode"/> below.) If you do not want an extension to be added, end the filename with a single dot (.): for example, squid.
Valid logging modes include ascii, binary, and ascii_pipe. The default is ascii.
Use ascii to create event log files in human-readable form (plain ASCII).
Use binary to create event log files in binary format. Binary log files generate lower system overhead and occupy less space on the disk (depending on the information being logged). You must use the logcat utility to translate binary log files to ASCII format before you can read them.
Use ascii_pipe to write log entries to a UNIX named pipe (a buffer in memory). Other processes can then read the data using standard I/O functions. Content Gateway does not have to write to disk, freeing disk space and bandwidth for other tasks. In addition, writing to a pipe does not stop when logging space is exhausted because the pipe does not use disk space.
Enables or disables log file rolling for the LogObject. This setting overrides the value for the configuration setting Log Rolling: Enabled/Disabled in the Content Gateway manager or proxy.config.log2.
rolling_enabled
in the records.config file.
Set "truth value" to 1 or true to enable rolling; set it to 0 or false to disable rolling for this particular LogObject.
Specifies the seconds between log file rolling for the LogObject. This setting overrides the value for the configuration setting Log Rolling: Interval in the Content Gateway manager or proxy.config.log2.
rolling_interval_sec
in the records.config file. This option allows you to specify different rolling intervals for different LogObjects.
Examples
The following is an example of a LogFormat specification collecting information using three common fields:
<LogFormat>
<Name = "minimal"/>
<Format = "%<chi> : %<cqu> : %<pssc>"/>
</LogFormat>
The following is an example of a LogFormat specification using aggregate operators:
<LogFormat>
<Name = "summary"/>
<Format = "%<LAST(cqts)> : %<COUNT(*)> : %<SUM(psql)>"/>
<Interval = "10"/>
</LogFormat>
The following is an example of a LogFilter that will cause only REFRESH_HIT entries to be logged:
<LogFilter>
<Name = "only_refresh_hits"/>
<Action = "ACCEPT"/>
<Condition = "%<pssc> MATCH REFRESH_HIT"/>
</LogFilter>
 
Note 
When specifying the field in the filter condition, you can omit the %<>. This means that the following filter is equivalent to the example directly above:
The following is an example of a LogObject specification that creates a local log file for the minimal format defined earlier. The log filename will be minimal.log because this is an ASCII log file (the default).
<LogObject>
<Format = "minimal"/>
<Filename = "minimal"/>
</LogObject>
The following is an example of a LogObject specification that includes only HTTP requests served by hosts in the domain company.com or by the specific server server.somewhere.com. Log entries are sent to port 4000 of the collation host logs.company.com and to port 5000 of the collation host 209.131.52.129.
<LogObject>
<Format = "minimal"/>
<Filename = "minimal"/>
<ServerHosts = "company.com,server.somewhere.com"/>
<Protocols = "http"/>
<CollationHosts = "logs.company.com:4000,209.131.52.129:5000"/>
</LogObject>
WELF (WebTrends Enhanced Log Format)
Content Gateway supports WELF, the WebTrends Enhanced Log Format, so that you can analyze Content Gateway log files with WebTrends reporting tools. A predefined <LogFormat> that is compatible with WELF is provided at the end of the logs.config file (shown below). To create a WELF format log file, create a <LogObject> that uses this predefined format.
<LogFormat>
<Name = "welf"/>
<Format = "id=firewall time=\"%<cqtd> %<cqtt>\" fw=%<phn> pri=6 proto=%<cqus> duration=%<ttmsf> sent=%<psql> rcvd=%<cqhl> src=%<chi> dst=%<shi> dstname=%<shn> user=%<caun> op=%<cqhm> arg=\"%<cqup>\" result=%<pssc> ref=\"%<{Referer}cqh>\" agent=\"%<{user-agent}cqh>\" cache=%<crc>"/>
</LogFormat>

Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Configuration Files > logs_xml.config
Copyright 2016 Forcepoint LLC. All rights reserved.