Reference: Access Log Formats
As internet traffic occurs, the
WSSrecords every transaction in Access Logs, which are stored on assets in the datacenters. The
WSStakes the data from various, relevant Access Log fields to render reports.
If you are downloading the Access Logs to use with Splunk or a third-party reporting application, you might need to know the Access Log fields for mapping references.
In the following table, proxy refers to a proxy appliance in the
Extended Log Format
Tenant ID for the request.
Configured name of the appliance
GMT Date in YYYY-MM-DD format.
GMT time in HH:MM:SS format
Time taken (in milliseconds) to process the request (from the first byte of client request data received by the proxy, to the last byte sent by the proxy to the client, including all of the delays by ICAP, and so on)
Client IP address.
Full username of a client authenticated to the proxy (fully distinguished).
List of groups that an authenticated user belongs to. Only groups referenced by policy are included.
Identifier of the exception resolved (empty if the transaction has not been terminated).
Deprecated content filtering result: Denied, Proxied or Observed.
All content categories of the request URL.
Protocol status code from appliance to client.
What type of action did the Appliance take to process this request; possible values include
Request method used from client to appliance.
Response header: Content-Type.
Scheme from the 'log' URL.
Hostname from the client's request URL. If URL rewrite policies are used, this field's value is derived from the 'log' URL.
Port from the 'log' URL.
Path from the 'log' URL. Does not include query.
Query from the 'log' URL.
Document extension from the original requested URL.
Request header: User-Agent.
IP address of the appliance on which the client established its connection.
Number of bytes the appliance sent to the client during the playspurt.
Number of bytes sent from client to appliance.
Whether a data leak has occurred, according to the ICAP response.
Identifier of a virus if one was detected.
ID of the cloud service customer site.
Cloud service location name of the
Method used to access the cloud service.
Reports the application name.
Reports the operation of an application.
IP address from the outbound server URL.
Result of validating server SSL certificate.
Errors observed in the server certificate.
An error was observed during the OCSP check for a client certificate.
Version of the SSL protocol negotiated for the server connection.
OpenSSL cipher suite negotiated for the server connection.
Ciphersize of the OpenSSL cipher suite negotiated for the server connection.
Hostname from the server's SSL certificate.
All content categories of the server's SSL certificate's hostname.
Version of the SSL protocol negotiated for the client connection.
OpenSSL cipher suite negotiated for the client connection.
Ciphersize of the OpenSSL cipher suite negotiated for the client connection.
Subject of the certificate presented by the client.
ICAP REQMOD status.
REQMOD ICAP error details.
ICAP RESPMOD status.
RESPMOD ICAP error details.
IP address used to contact the upstream host. This is not set if a connection is not made or if an exception occurs.
The geolocation (country) associated with the IP address of the connection, identified by
s-supplier-ip. This is not set if a connection is not made or if an exception occurs.
A list of entries where the IP address resolved but did not result in a successful connection. Each entry comprises the IP address, country, and whether the connection was denied or timed out. This field is designed for use with Symantec Reporter.
The country associated with the client IP address.
Threat risk level of the request URL.
Threat risk level of the server's SSL certificate's hostname.
The agent type of the authenticated client.
Client operating system.
Client agent software.
A unique identifier for the client device.
The name of the device.
Type of device.
Information related to how secure the client environment is per the compliance policy.
The risk score that indicates the security posture of the client,
Reference ID specified in the
reference_id(Rule_ID)action in a policy rule.
Issuer for forged certificates.
Key alias name in HSM issuer for forged certificates.
Summary of RS server processing in the form (
A placeholder represented by a dash (
Globally unique per-request identifier generated by the appliance. Default exception pages include the transaction ID; thus, you can look for the ID in the access log to learn more about the transaction.