WIXLIB

ProxySG Log Fieldsand SubstitutionsVersion 6.5.x through 7.3.xGuide Revision: 5/26/2021

Symantec Corporation - SGOS 6.x and 7.xLegal NoticeBroadcom, the pulse logo, Connecting everything, and Symantec are among the trademarks of Broadcom. The term“Broadcom” refers to Broadcom Inc. and/or its subsidiaries.Copyright 2021 Broadcom. All Rights Reserved.The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries. For more information, please visit www.broadcom.com.Broadcom reserves the right to make changes without further notice to any products or data herein to improve reliability,function, or design. Information furnished by Broadcom is believed to be accurate and reliable. However, Broadcom does notassume any liability arising out of the application or use of this information, nor the application or use of any product or circuitdescribed herein, neither does it convey any license under its patent rights nor the rights of others.Wednesday, May 26, 20212 of 183

sample-titleTable of Contents"About this Document" on the next pageCommonly Used Fields:n"Client/Server Bytes" on page 6n"Connection Details" on page 9n"DNS" on page 26n"HTTP" on page 28n"Request Headers" on page 29n"Response Headers" on page 63n"Request/Response Status" on page 102n"SSL " on page 117n"Time" on page 124n"URL" on page 135n"User Authentication" on page 146n"WAF" on page 153Additional Fields:n"CIFS " on page 156n"MAPI and Office 365" on page 161n"P2P Connections" on page 164n"Special Characters" on page 165n"Streaming Media" on page 168n"WebEx Proxy" on page 176"Substitution Modifiers" on page 177n"Timestamp Modifiers" on page 178n"String Modifiers " on page 180n"Host Modifiers" on page 1833 of 183

Symantec Corporation - SGOS 6.x and 7.xAbout this DocumentThis document lists all valid ELFF and CPL substitutions for ELFF log formats, and some custom values for custom logformats.Substitutions allow you to fetch information from the current transaction. This information can be optionally transformed, andthen substituted into a character string or block of text.Substitutions can occur in the following contexts:nIn exception pages, ICAP patience pages, and authentication forms; refer to the SGOS Administration Guide for detailsnIn the definition of substitution realms; refer to the SGOS Administration Guide for detailsnIn CPL define string statements, and inside most (but not all) "." or '.' string literalsnIn some Visual Policy Manager objects, such as Event Log and Notify UserThe following is an example of a substitution: (user)The general syntax for a substitution is:" (" field modifier* ")"where:nfield is an ELFF field name or a supported CPL substitution. When a field supports both ELFF and CPL, the values areinterchangeable; for example, (cs-ip) and (proxy.address) are equivalent. You can use either one in an ELFF format.nmodifier transforms the field name or substitution value specified in field. A substitution can contain zero or moremodifiers after the field name. Modifiers are interpreted from left to right. For more information, see "SubstitutionModifiers" on page 177.Note: (request.x header. x-header-name ) and (response.x header. x-headername ) are also valid substitutions.Note: You can use as a CPL substitution that is replaced by . If, for example, you are usingjQuery to customize an exception page on the appliance, the jQuery function such as ('body') will be reported as an error. This error occurs because the appliance interprets thejQuery function as an invalid CPL substitution. To prevent the misinterpretation of the jQueryfunction, use ('body') instead of ('body').4 of 183

sample-titleFor more information on ProxySG access logs, refer to the SGOS Administration Guide. For details on CPL, refer tothe Content Poilcy Language Reference. Documentation is available at Broadcom Tech /7-3.htmlNote: This document does not describe access log fields pertaining to features deprecated inSGOS 6.5.x and earlier (such as Surfcontrol, Websense, and IM proxies).5 of 183

Client/Server BytesClient/Server BytesThese fields pertain to bytes sent to or from the appliance.ELFFCPLCustomIntroduced in DescriptionSGOSversions7.xcs-bodylength6.7.xNumber of bytes in the body(excludes header) sent from clientto appliance.6.6.x6.5.xcs-bytes7.x%B6.7.x6.6.xNumber of HTTP/1.1 bytes sentfrom client to appliance.6.5.x7.xcs-headerlengthNumber of bytes in the headersent from client to xNumber of bytes in the body(excludes header) sent fromupstream host to appliance.6.5.x7.xrs-bytes6.7.x6.6.x6.5.x6 of 183Number of HTTP/1.1 bytes sentfrom upstream host to appliance.

Symantec Corporation - SGOS 6.x and 7.xELFFCPLCustomIntroduced in xNumber of bytes in the headersent from upstream host toappliance.6.5.x7.xsc-bodylength6.7.xNumber of bytes in the body(excludes header) sent fromappliance to client.6.6.x6.5.xsc-bytes7.x%b6.7.x6.6.xNumber of HTTP/1.1 bytes sentfrom appliance to client.6.5.x7.xsc-headerlengthNumber of bytes in the headersent from appliance to mber of bytes in the body(excludes header) sent fromappliance to upstream host.6.5.x7.xsr-bytes6.7.x6.6.x6.5.x7 of 183Number of HTTP/1.1 bytes sentfrom appliance to upstream host.

Client/Server BytesELFFCPLCustomIntroduced in x6.5.x8 of 183Number of bytes in the headersent from appliance to upstreamhost.

Symantec Corporation - SGOS 6.x and 7.xConnection DetailsThese fields pertain to IP address, port, geolocation, and more.ELFFCPLCustomIntroduced Descriptionin SGOSversions7.xc-connect-type6.7.x6.6.xThe type of connectionmade by the client to theappliance: Transparent orExplicit.6.5.xc-dns%h7.x6.7.x6.6.xHostname of the client(uses the client's IPaddress to avoid reverseDNS).6.5.xc-ipclient.address%a7.xClient IP address.6.7.x6.6.x6.5.x7.xc-port6.7.x6.6.xSource port used by .3cs-icap-service9 of 183REQMOD ICAP serverhostname.REQMOD ICAP serverIP address.REQMOD ICAP service orservice group name

Client/Server BytesELFFCPLcs-ipproxy.addressCustomIntroduced Descriptionin SGOSversions7.x6.7.x6.6.xIP address of thedestination of the client'sconnection.6.5.x7.xr-dnsHostname from theoutbound server URL.6.7.x6.6.x6.5.x7.xr-ip6.7.x6.6.xIP address from theoutbound server URL.6.5.xr-port%p7.xPort from the outboundserver -supplier-dns6.7.x6.6.x6.5.x10 of 183Country of the upstreamhost. This is not set if aconnection is not made, butis correct when anexception occurs.Hostname of the upstreamhost. This is not set if aconnection is not made, butis correct when anexception occurs.

Symantec Corporation - SGOS 6.x and 7.xELFFCPLCustomIntroduced Descriptionin pplier-port6.7.x6.6.xIP address used to contactthe upstream host. This isnot set if a connection is notmade, but is correct whenan exception occurs.Port used to contact theupstream host. This is notset if a connection is notmade, but is correct whenan exception p-service7.3.3s-computernameproxy.name%N7.xRESPMOD ICAP serverhostname; unavailablewhen the response isserved from cache.RESPMOD ICAP serverIP address; unavailablewhen the response isserved from cache.RESPMOD ICAP serviceor service group name;available when theresponse is served fromcache.Configured name of 6.6.x6.5.x11 of 183Upstream connection type(Direct, SOCKS gateway,etc.).

Client/Server BytesELFFCPLCustomIntroduced Descriptionin SGOSversions7.xs-dns6.7.x6.6.xHostname of the appliance(uses the primary IPaddress to avoid reverseDNS).6.5.xs-ip%I7.x6.7.x6.6.xIP address of the applianceon which the clientestablished its connection.6.5.xs-portproxy.port%P7.x6.7.xPort of the appliance onwhich the client establishedits connection.6.6.x6.5.xs-sitename%S7.x6.7.x6.6.xThe service type used toprocess the source-port7.x6.7.x6.6.x6.5.x12 of 183The source IP address ofthe ProxySG appliancewhen attempting to accessa remote site or URL.Note: This field is availablefor HTTP and HTTPSproxies only.The source port of theProxySG appliance whenattempting to access aremote site or URL.Note: This field is availablefor HTTP, HTTPS, andFTP proxies.

Symantec Corporation - SGOS 6.x and 7.xELFFCPLCustomIntroduced Descriptionin xThe geolocation (country)associated with the IPaddress of the connection,identified by "s-supplier-ip "below. This is not set if aconnection is not made or ifan exception occurs.A list of entries where theIP address resolved but didnot result in a successfulconnection. Each entrycomprises the IP address,country, and whether theconnection was denied ortimed out. This field isdesigned for use withSymantec Reporter.IP address used to contactthe upstream host. This isnot set if a connection is notmade or if an xHostname of the upstreamhost. This is not set if aconnection is not made or ifan exception IP port used to contact theupstream host. This is notset if a connection is notmade or if an exceptionoccurs.7.xproxy.card6.7.x(In 6.6.2 and later) client.interface6.6.x6.5.x13 of 183Adapter number of theclient's connection to theappliance.

Client/Server BytesELFFCPLCustomIntroduced Descriptionin SGOSversions7.xsc-connection6.7.xUnique identifier of theclient's connection (such liance.serial number6.7.x6.6.xThe serial number of pliance.first mac addressThe MAC address of thefirst installed ppliance.full version6.7.x6.6.xThe full version of theSGOS software.6.5.x7.xx-appliance-mc- appliance.mc he fingerprint of theManagement 7.xappliance.model name6.7.x6.6.x6.5.x14 of 183The model name of theappliance.

Symantec Corporation - SGOS 6.x and 7.xELFFCPLx-applianceproduct-nameappliance.product nameCustomIntroduced Descriptionin SGOSversions7.xThe product name of 7.xappliance.product tag6.7.x6.6.xThe product tag of ance.serial numberThe serial number of pliance.series name6.7.x6.6.xThe series name of tion.access type7.xMethod used to access thecloud appliance.identifier6.7.x6.6.xCompact identifier of ance.name6.7.x6.6.x6.5.x15 of 183Configured name of theappliance.

Client/Server BytesELFFCPLCustomIntroduced Descriptionin SGOSversions7.xx-bluecoatappliance.primary addressapplianceprimary-address6.7.x6.6.xPrimary IP address of theappliance.6.5.x7.xx-bluecoat-csurrogate-ipIP address of the client inthe data onnection-tenant6.7.xTenant ID for ersionx-bluecoatlocation-id6.7.xVersion of the cloud servicegroups of interest for atenant policy.6.6.x7.xclient.location.id6.7.xID of the cloud servicecustomer rimary addressPrimary IP address of enantrequest-tenantid6.7.xTenant ID for the oserver connection.socket errno7.x6.7.x6.6.x6.5.x16 of 183Error message associatedwith a failed attempt toconnect to an upstreamhost.

Symantec Corporation - SGOS 6.x and 7.xELFFCPLCustomIntroduced Descriptionin Version of the cloud servicetenant .id6.7.x6.6.x6.5.xx-bluecoattransactionuuidUnique per-requestidentifier generated by theappliance.Note: This value is notunique across multipleappliances; use xbluecoat-transactionuuid to log globally uniqueidentifiers.Globally unique per-requestidentifier generated by .xx-clientaddressDefault exception pagesinclude the transaction ID;thus, you can look for theID in the access log to learnmore about the transaction.For WAF, you can use theID to ascertain if WAFengines correctly detectedan attack or if it was a falsepositive.IP address of the 7.x6.6.x6.5.x17 of 183Total number of bytes sendto and received from theclient.

Client/Server BytesELFFCPLCustomIntroduced Descriptionin SGOSversions7.xx-client-ipIP address of the ex-cs-dns6.7.5.87.2.4.17.xclient.host6.7.xTotal time taken (in ms) todetermine the objectdispositionThe hostname of the clientobtained through .effective address7.x6.7.xThe effective client IPaddress when theclient.effectiveaddress() property .5.5.7If the property is notconfigured, the contentmatches "c-ip " on page 9.The country associatedwith the effective client IPaddress when theclient.effectiveaddress() property isconfigured.If the property is notconfigured, the contentmatches "x-cs-client-ipcountry " on the next page.18 of 183