%X#11#
|
ext_auth_sgt
|
Custom field parameter for Secure Group Tags used in ISE integrations.
|
%:<1
|
x-p2s-first-byte-time
|
The time it
takes from the moment the Web Proxy starts connecting to the server to the time
it is first able to write to the server. If the Web Proxy has to connect to
several servers to complete the transaction, it is the sum of those times.
|
%:<a
|
x-p2p-auth-wait-time
|
Wait-time
to receive the response from the Web Proxy authentication process, after the
Web Proxy sent the request.
|
%:<b
|
x-p2s-body-time
|
Wait-time
to write request body to server after header.
|
%:<d
|
x-p2p-dns-wait-time
|
Time taken
by the Web Proxy to send the DNS request to the Web Proxy DNS process.
|
%:<h
|
x-p2s-header-time
|
Wait-time
to write request header to server after first byte.
|
%:<r
|
x-p2p-reputation- wait-time
|
Wait-time
to receive the response from the Web Reputation Filters, after the Web Proxy
sent the request.
|
%:<s
|
x-p2p-asw-req- wait-time
|
Wait-time
to receive the verdict from the Web Proxy anti-spyware process, after the Web
Proxy sent the request.
|
%:>1
|
x-s2p-first-byte-time
|
Wait-time
for first response byte from server
|
%:>a
|
x-p2p-auth-svc-time
|
Wait-time
to receive the response from the Web Proxy authentication process, including
the time required for the Web Proxy to send the request.
|
%:>b
|
x-s2p-body-time
|
Wait-time
for complete response body after header received
|
%:>c
|
x-p2p-fetch-time
|
Time
required for the Web Proxy to read a response from the disk cache.
|
%:>d
|
x-p2p-dns-svc-time
|
Time taken
by the Web Proxy DNS process to send back a DNS result to the Web Proxy.
|
%:>h
|
x-s2p-header-time
|
Wait-time
for server header after first response byte
|
%:>g
|
|
SSL server
handshake latency information.
|
% O
|
-
|
Volume quota consumed.
|
%:>r
|
x-p2p-reputation-svc- time
|
Wait-time
to receive the verdict from the Web Reputation Filters, including the time
required for the Web Proxy to send the request.
|
%:>s
|
x-p2p-asw-req-svc- time
|
Wait-time
to receive the verdict from the Web Proxy anti-spyware process, including the
time required for the Web Proxy to send the request.
|
%:1<
|
x-c2p-first-byte-time
|
Wait-time
for first request byte from new client connection.
|
%:1>
|
x-p2c-first-byte-time
|
Wait-time
for first byte written to client.
|
%:A<
|
x-p2p-avc-svc-time
|
Wait-time
to receive the response from the AVC process, including the time required for
the Web Proxy to send the request.
|
%:A>
|
x-p2p-avc-wait-time
|
Wait-time
to receive the response from the AVC process, after the Web Proxy sent the
request.
|
%:b<
|
x-c2p-body-time
|
Wait-time
for complete client body.
|
%:b>
|
x-p2c-body-time
|
Wait-time
for complete body written to client.
|
%:C<
|
x-p2p-dca-resp- svc-time
|
Wait-time
to receive the verdict from the Dynamic Content Analysis engine, including the
time required for the Web Proxy to send the request.
|
%:C>
|
x-p2p-dca-resp- wait-time
|
Wait-time
to receive the response from the Dynamic Content Analysis engine, after the Web
Proxy sent the request.
|
%:h<
|
x-c2p-header-time
|
Wait-time
for complete client header after first byte
|
%:h>
|
x-s2p-header-time
|
Wait-time
for complete header written to client
|
%:m<
|
x-p2p-mcafee-resp- svc-time
|
Wait-time
to receive the verdict from the McAfee scanning engine, including the time
required for the Web Proxy to send the request.
|
%:m>
|
x-p2p-mcafee-resp- wait-time
|
Wait-time
to receive the response from the McAfee scanning engine, after the Web Proxy
sent the request.
|
%:p<
|
x-p2p-sophos-resp- svc-time
|
Wait-time
to receive the verdict from the Sophos scanning engine, including the time
required for the Web Proxy to send the request.
|
%:p>
|
x-p2p-sophos-resp- wait-time
|
Wait-time
to receive the response from the Sophos scanning engine, after the Web Proxy
sent the request.
|
%:w<
|
x-p2p-webroot-resp -svc-time
|
Wait-time
to receive the verdict from the Webroot scanning engine, including the time
required for the Web Proxy to send the request.
|
%:w>
|
x-p2p-webroot-resp-wait- time
|
Wait-time
to receive the response from the Webroot scanning engine, after the Web Proxy
sent the request.
|
%?BLOCK_SUSPECT_ USER_AGENT, MONITOR_SUSPECT_ USER_AGENT?% <
User-Agent:%!%-%
|
x-suspect-user-agent
|
Suspect
user agent, if applicable. If the Web Proxy determines the user agent is
suspect, it will log the user agent in this field. Otherwise, it logs a hyphen.
This field is written with double-quotes in the access logs.
|
%<Referer:
|
cs(Referer)
|
Referer
|
%>Server:
|
sc(Server)
|
Server
header in the response.
|
%a
|
c-ip
|
Client IP
Address.
|
%A
|
cs-username
|
Authenticated user name. This field is written with double-quotes in the access
logs.
|
%b
|
sc-body-size
|
Bytes
sent to the client from the Web Proxy for the body content.
|
%B
|
bytes
|
Total
bytes used (request size + response size, which is %q + %s).
|
%c
|
cs-mime-type
|
Response
body MIME type. This field is written with double-quotes in the access logs.
|
%C
|
cs(Cookie)
|
Cookie
header. This field is written with double-quotes in the access logs.
|
%d
|
s-hostname
|
Data
source or server IP address.
|
%D
|
x-acltag
|
ACL
decision tag.
|
%e
|
x-elapsed-time
|
Elapsed
time in milliseconds.
For TCP
traffic, this is the time elapsed between the opening and closing of the HTTP
connection.
For UDP
traffic, this is the time elapsed between the sending of the first datagram and
the time at which the last datagram can be accepted. A large elapsed time value
for UDP traffic may indicate that a large timeout value and a long-lived UDP
association allowed datagrams to be accepted longer than necessary.
|
%E
|
x-error-code
|
Error
code number that may help Customer Support troubleshoot the reason for a failed
transaction.(
|
%f
|
cs(X-Forwarded-For)
|
X-Forwarded-For header.
|
%F
|
c-port
|
Client
source port
|
%g
|
cs-auth-group
|
Authorized group names. This field is written with double-quotes in the access
logs.
This
field is used for troubleshooting policy/authentication issues to determine
whether a user is matching the correct group or policy.
|
%G
|
|
Human-readable timestamp.
|
%h
|
sc-http-status
|
HTTP
response code.
|
%H
|
s-hierarchy
|
Hierarchy
retrieval.
|
%i
|
x-icap-server
|
IP
address of the last ICAP server contacted while processing the request.
|
%I
|
x-transaction-id
|
Transaction ID.
|
%j
|
DCF
|
Do not
cache response code; DCF flags.
Response
code descriptions:
|
%k
|
s-ip
|
Data
source IP address (server IP address)
This
value is used to determine a requestor when the IP address is flagged by an
intrusion detection device on your network. Allows you to locate a client that
visited an IP address that has been so flagged.
|
%l
|
user-type
|
Type of
user, either local or remote.
|
%L
|
x-local_time
|
Request
local time in human-readable format: DD/MMM/YYYY : hh:mm:ss +nnnn. This field
is written with double-quotes in the access logs.
Enabling
this field allows you to correlate logs to issues without having to calculate
local time from epoch time for each log entry.
|
%m
|
cs-auth-mechanism
|
Used to
troubleshoot authentication issues.
The
authentication mechanism used on the transaction. Possible values are:
-
BASIC. The user name was authenticated using the Basic authentication scheme.
-
NTLMSSP. The user name was authenticated using the NTLMSSP authentication scheme.
-
NEGOTIATE. The user name was authenticated using the Kerberos authentication scheme.
-
SSO_TUI. The user name was obtained by matching the client IP address to an authenticated user name using transparent user identification.
-
SSO_ISE. The user was authenticated by an ISE server. (Log shows GUEST if that is chosen as the fall-back mechanism for ISE authentication.)
-
SSO_ASA. The user is a remote user and the user name was obtained from a Cisco ASA using the Secure Mobility.
-
FORM_AUTH. The user entered authentication credentials in a form in the web browser when accessing a application.
-
GUEST. The user failed authentication and instead was granted guest access.
|
%M
|
CMF
|
Cache
miss flags: CMF flags.
|
%N
|
s-computerName
|
Server
name or destination hostname. This field is written with double-quotes in the
access logs.
|
%p
|
s-port
|
Destination port number.
|
%P
|
cs-version
|
Protocol.
|
%q
|
cs-bytes
|
Request
size (headers + body).
|
%r
|
x-req-first-line
|
Request
first line - request method, URI.
|
%s
|
sc-bytes
|
Response
size (header + body).
|
%t
|
timestamp
|
Timestamp
in UNIX epoch.
Note: If you
want to use a third party log analyzer tool to read and parse the W3C access
logs, you might need to include the “timestamp” field. Most log analyzers only
understand time in the format provided by this field.
|
%u
|
cs(User-Agent)
|
User
agent. This field is written with double-quotes in the access logs.
This
field helps determine if an application is failing authentication and/or
requires different access permissions.
|
%U
|
cs-uri
|
Request
URI.
|
%v
|
date
|
Date in
YYYY-MM-DD.
|
%V
|
time
|
Time in
HH:MM:SS.
|
%w
|
sc-result-code
|
Result
code. For example: TCP_MISS, TCP_HIT.
|
%W
|
sc-result-code-denial
|
Result
code denial.
|
%x
|
x-latency
|
Latency.
|
%X0
|
x-resp-dvs-scanverdict
|
Unified
response-side anti-malware scanning verdict that provides the
malware
category number independent of which scanning engines are enabled. Applies
to transactions blocked or monitored due to server response scanning.
This
field is written with double-quotes in the access logs.
|
%X1
|
x-resp-dvs-threat-name
|
Unified
response-side anti-malware scanning verdict that provides the
malware
threat name independent of which scanning engines are enabled. Applies to
transactions blocked or monitored due to server response scanning.
This
field is written with double-quotes in the access logs.
|
%X2
|
x-req-dvs-scanverdict
|
Request
side DVS Scan verdict
|
%X3
|
x-req-dvs-verdictname
|
Request
side DVS verdict name
|
%X4
|
x-req-dvs-threat-name
|
Request
side DVS threat name
|
%X6
|
x-as-malware-threat-name
|
Indicates
whether Adaptive Scanning blocked the transaction without invoke any
anti-malware scanning engine. The possible values are:
This
variable is included in the scanning verdict information (in the angled
brackets at the end of each access log entry).
|
%XA
|
x-webcat-resp-code- abbr
|
The URL
category verdict determined during response-side scanning, abbreviated. Applies
to the Cisco Web Usage Controls URL filtering engine only.
|
%Xb
|
x-avc-behavior
|
The web
application behavior identified by the AVC engine.
|
%XB
|
x-avg-bw
|
Average
bandwidth of the user if bandwidth limits are defined by the AVC engine.
|
%XC
|
x-webcat-code-abbr
|
URL
category abbreviation for the custom URL category assigned to the transaction.
|
%Xd
|
x-mcafee-scanverdict
|
McAfee
specific identifier: (scan verdict).
|
%Xe
|
x-mcafee-filename
|
McAfee
specific identifier: (File name yielding verdict) This field is written with
double-quotes in the access logs.
|
%Xf
|
x-mcafee-av-scanerror
|
McAfee
specific identifier: (scan error).
|
%XF
|
x-webcat-code-full
|
Full name
of the URL category assigned to the transaction. This field is written with
double-quotes in the access logs.
|
%Xg
|
x-mcafee-av-detecttype
|
McAfee
specific identifier: (detect type).
|
%XG
|
x-avc-reqhead-scanverdict
|
AVC
request header verdict.
|
%Xh
|
x-mcafee-av-virustype
|
McAfee
specific identifier: (virus type).
|
%XH
|
x-avc-reqbody- scanverdict
|
AVC
request body verdict.
|
%Xi
|
x-webroot-trace-id
|
Webroot
specific scan identifier: (Trace ID)
|
%Xj
|
x-mcafee-virus-name
|
McAfee
specific identifier: (virus name). This field is written with double-quotes in
the access logs.
|
%Xk
|
x-wbrs-threat-type
|
Web
reputation threat type.
|
%XK
|
x-wbrs-threat-reason
|
Web
reputation threat reason.
|
%Xl
|
x-ids-verdict
|
Cisco
Data Security Policy scanning verdict. If this field is included, it will
display the IDS verdict, or “0” if IDS was active but the document scanned
clean, or “-” if no IDS policy was active for the request.
|
%XL
|
x-webcat-resp-code- full
|
The URL
category verdict determined during response-side scanning, full name.Applies to
the Cisco Web Usage Controls URL filtering engine only.
|
%XM
|
x-avc-resphead- scanverdict
|
AVC
response header verdict.
|
%Xn
|
x-webroot-threat-name
|
Webroot
specific identifier: (Threat name) This field is written with double-quotes in
the access logs.
|
%XN
|
x-avc-reqbody-scanverdict
|
AVC
response body verdict.
|
%XO
|
x-avc-app
|
The web
application identified by the AVC engine.
|
%Xp
|
x-icap-verdict
|
External
DLP server scanning verdict.
|
%XP
|
x-acl-added-headers
|
Unrecognized header. Use this field to log extra headers in client requests.
This supports troubleshooting of specialized systems that add headers to client
requests as a way of authenticating and redirecting those requests, for
example, YouTube for Schools.
|
%XQ
|
x-webcat-req-code- abbr
|
The
predefined URL category verdict determined during request-side scanning,
abbreviated.
|
%Xr
|
x-result-code
|
Scanning
verdict information.
|
%XR
|
x-webcat-req-code-full
|
The URL
category verdict determined during request-side scanning, full name.
|
%Xs
|
x-webroot-spyid
|
Webroot
specific identifier: (Spy ID).
|
%XS
|
x-request-rewrite
|
Safe
browsing scanning verdict.
Indicates
whether either the safe search or site content ratings feature was applied to
the transaction.
|
%Xt
|
x-webroot-trr
|
Webroot
specific identifier: (Threat Risk Ratio [TRR]).
|
%XT
|
x-bw-throttled
|
Flag that
indicates whether bandwidth limits were applied to the transaction.
|
%Xu
|
x-avc-type
|
The web
application type identified by the AVC engine.
|
%Xv
|
x-webroot-scanverdict
|
Malware
scanning verdict from Webroot.
|
%XV
|
x-request-source-ip
|
The
downstream IP address when the “Enable Identification of Client IP Addresses
using X-Forwarded-For” checkbox is enabled for the Web Proxy settings.
|
%XW
|
x-wbrs-score
|
Decoded
WBRS score <-10.0-10.0>.
|
%Xx
|
x-sophos-scanerror
|
Sophos
specific identifier: (scan return code).
|
%Xy
|
x-sophos-file-name
|
The name
of the file in which Sophos found the objectionable content. Applies to
responses detected by Sophos only.
|
%XY
|
x-sophos-scanverdict
|
Sophos
specific identifier: (scan verdict).
|
%Xz
|
x-sophos-virus-name
|
Sophos
specific identifier: (threat name).
|
%XZ
|
x-resp-dvs-verdictname
|
Unified
response-side anti-malware scanning verdict that provides the
malware
category independent of which scanning engines are enabled. Applies to
transactions blocked or monitored due to server response scanning.
This
field is written with double-quotes in the access logs.
|
%X#1#
|
x-amp-verdict
|
Verdict
from Advanced Malware Protection file scanning:
-
0: File is not malicious.
-
1: File was not scanned because of its file type.
-
2: File scan timed out.
-
3: Scan error.
-
Greater than 3: File is malicious.
|
%X#2#
|
x-amp-malware-name
|
Threat
name, as determined by Advanced Malware Protection file scanning. “-” indicates
no threat.
|
%X#3#
|
x-amp-score
|
Reputation score from Advanced Malware Protection file scanning.
This
score is used only if the cloud reputation service is unable to determine a
clear verdict for the file.
For
details, see information about the Threat Score and the reputation threshold in
File Reputation Filtering and File Analysis
|
%X#4#
|
x-amp-upload
|
Indicator
of upload and analysis request:
“0”
indicates that Advanced Malware Protection did not request upload of the file
for analysis.
“1”
indicates that Advanced Malware Protection did request upload of the file for
analysis.
|
%X#5#
|
x-amp-filename
|
The name
of the file being downloaded and analyzed.
|
%X#6#
|
x-amp-sha
|
The
SHA-256 identifier for this file.
|
%y
|
cs-method
|
Method.
|
%Y
|
cs-url
|
The
entire URL.
|
N/A
|
x-hierarchy-origin
|
Code that
describes which server was contacted for the retrieving the request content
(for example, DIRECT/www.example.com).
|
N/A
|
x-resultcode-httpstatus
|
Result
code and the HTTP response code, with a slash (/) in between.
|
N/A
|
x-archivescan-verdict
|
Display
the verdict of Archive Inspection.
|
N/A
|
x-archivescan-verdict- reason
|
Details of
the file blocked by Archive Scan.
|
%XU
|
N/A
|
Reserved for future.
|