Reference: Access Log Formats

As internet traffic occurs, the
WSS
records every transaction in Access Logs, which are stored on assets in the datacenters. The
WSS
takes the data from various, relevant Access Log fields to render reports.
If you are downloading the Access Logs to use with Splunk or a third-party reporting application, you might need to know the Access Log fields for mapping references.
In the following table, proxy refers to a proxy appliance in the
WSS
datacenter.
Extended Log Format
Description
x-bluecoat-request-tenant-id
Tenant ID for the request.
x-bluecoat-appliance-name
Configured name of the appliance
date
GMT Date in YYYY-MM-DD format.
time
GMT time in HH:MM:SS format
time-taken
Time taken (in milliseconds) to process the request (from the first byte of client request data received by the proxy, to the last byte sent by the proxy to the client, including all of the delays by ICAP, and so on)
c-ip
Client IP address.
cs-userdn
Full username of a client authenticated to the proxy (fully distinguished).
cs-auth-groups
List of groups that an authenticated user belongs to. Only groups referenced by policy are included.
x-exception-id
Identifier of the exception resolved (empty if the transaction has not been terminated).
sc-filter-result
Deprecated content filtering result: Denied, Proxied or Observed.
cs-categories
All content categories of the request URL.
cs(Referer)
Request header:
Referer
sc-status
Protocol status code from appliance to client.
s-action
What type of action did the Appliance take to process this request; possible values include
ALLOWED
,
DENIED
,
FAILED
,
SERVER_ERROR
.
cs-method
Request method used from client to appliance.
rs(Content-Type)
Response header: Content-Type.
cs-uri-scheme
Scheme from the 'log' URL.
cs-host
Hostname from the client's request URL. If URL rewrite policies are used, this field's value is derived from the 'log' URL.
cs-uri-port
Port from the 'log' URL.
cs-uri-path
Path from the 'log' URL. Does not include query.
cs-uri-query
Query from the 'log' URL.
cs-uri-extension
Document extension from the original requested URL.
cs(User-Agent)
Request header: User-Agent.
s-ip
IP address of the appliance on which the client established its connection.
sc-bytes
Number of bytes the appliance sent to the client during the playspurt.
cs-bytes
Number of bytes sent from client to appliance.
x-data-leak-detected
Whether a data leak has occurred, according to the ICAP response.
x-virus-id
Identifier of a virus if one was detected.
x-bluecoat-location-id
ID of the cloud service customer site.
x-bluecoat-location-name
Cloud service location name of the
ProxySG
appliance.
x-bluecoat-access-type
Method used to access the cloud service.
x-bluecoat-application-name
Reports the application name.
x-bluecoat-application-operation
Reports the operation of an application.
r-ip
IP address from the outbound server URL.
r-supplier-country
  • Reports the country of the IP address to which the
    WSS
    connected.
  • If the
    WSS
    connection did not occur—for example, the transaction was denied based on an earlier condition such as URL category, the field indicates the country that the service would have tried to connect to first. That is, the country of the first IP address returned from a DNS resolution of the server URL's host.
x-rs-certificate-validate-status
Result of validating server SSL certificate.
x-rs-certificate-observed-errors
Errors observed in the server certificate.
x-cs-ocsp-error
An error was observed during the OCSP check for a client certificate.
x-rs-connection-negotiated-ssl-version
Version of the SSL protocol negotiated for the server connection.
x-rs-connection-negotiated-cipher
OpenSSL cipher suite negotiated for the server connection.
x-rs-connection-negotiated-cipher-size
Ciphersize of the OpenSSL cipher suite negotiated for the server connection.
x-rs-certificate-hostname
Hostname from the server's SSL certificate.
x-rs-certificate-hostname-categories
All content categories of the server's SSL certificate's hostname.
x-cs-connection-negotiated-ssl-version
Version of the SSL protocol negotiated for the client connection.
x-cs-connection-negotiated-cipher
OpenSSL cipher suite negotiated for the client connection.
x-cs-connection-negotiated-cipher-size
Ciphersize of the OpenSSL cipher suite negotiated for the client connection.
x-cs-certificate-subject
Subject of the certificate presented by the client.
cs-icap-status
ICAP REQMOD status.
cs-icap-error-details
REQMOD ICAP error details.
rs-icap-status
ICAP RESPMOD status.
rs-icap-error-details
RESPMOD ICAP error details.
s-supplier-ip
IP address used to contact the upstream host. This is not set if a connection is not made or if an exception occurs.
s-supplier-country
The geolocation (country) associated with the IP address of the connection, identified by
s-supplier-ip
  . This is not set if a connection is not made or if an exception occurs.
s-supplier-failures
A list of entries where the IP address resolved but did not result in a successful connection. Each entry comprises the IP address, country, and whether the connection was denied or timed out. This field is designed for use with Symantec Reporter.
x-cs-client-ip-country
The country associated with the client IP address.
cs-threat-risk
Threat risk level of the request URL.
x-rs-certificate-hostname-threat-risk
Threat risk level of the server's SSL certificate's hostname.
x-client-agent-type
The agent type of the authenticated client.
x-client-os
Client operating system.
x-client-agent-sw
Client agent software.
x-client-device-id
A unique identifier for the client device.
x-client-device-name
The name of the device.
x-client-device-type
Type of device.
x-client-security-posture-details
Information related to how secure the client environment is per the compliance policy.
x-client-security-posture-risk-score
The risk score that indicates the security posture of the client,
x-bluecoat-reference-id
Reference ID specified in the
reference_id(Rule_ID)
action in a policy rule.
x-sc-connection-issuer-keyring
Issuer for forged certificates.
x-sc-connection-issuer-keyring-alias
Key alias name in HSM issuer for forged certificates.
x-cloud-rs
Summary of RS server processing in the form (
<rs-ratings>:<rating-source>:<rating-label>
).
x-bluecoat-placeholder
A placeholder represented by a dash (
-
).
cs(X-Requested-With)
x-bluecoat-transaction-uuid
Globally unique per-request identifier generated by the appliance. Default exception pages include the transaction ID; thus, you can look for the ID in the access log to learn more about the transaction.