WebSpy is a Fastvue Product

Support Center

Ironport Access Logs

Last Updated: Jun 09, 2015 08:24PM PDT
The new Ironport Access Logs may have caused some confusion due to the way they are now structured.
This article is here to help explain some of the fields in this new format and help you make a more informed decision into what fields you need when importing your log files into Vantage.

The newer default Ironport Access Logs have a header field structure just like a w3c log file. Within Ironport you can choose to use the default log and add some more optional fields (if you wish) or use a W3C log to fully customize your field list.

Both logging options give a #Field list in it's header fields to explain what it is reporting on in the log.
The default log file has the follow fields by default:
#Fields: %t %e %a %w/%h %s %2r %A %H/%d %c %D %Xr %?BLOCK_SUSPECT_USER_AGENT,MONITOR_SUSPECT_USER_AGENT?%<User-Agent:%!%-%.

It is important to be aware of what these fields mean so you don't add other optional fields that duplicate this information.
%t  = Timestamp in UNIX epoch (This gives you the date and time).
%e  = Elapsed time (duration)
%a  = Client IP Address
%w/%h  = Result code and the HTTP response code, with a slash (/) in between
%s = Response size (header + body)
%2r = %r is the Request first line which contains request method, URI, and HTTP version. %2r means it will show request method and uri if they are available.
%A = cs-username which is the Authenticated user name.
%H/%d = The code that describes which server was contacted for the retrieving the request content. (e.g. DIRECT/www.example.com)
%c = Response body MIME type.
%D = ACL decision tag
%Xr = Result code
%?BLOCK_SUSPECT... = Suspect user agent.

It is also important to note that Ironport uses case sensitivity on its field names so if you add a %lowercase but meant %uppercase you will get completely different results. This is an easy mistake to make seeing as there are over a 100 different possible logging fields available.

Another thing to be aware of when adding a field to the default list is making sure that you use the same field separator. From what we have seen a SPACE is used to separate the default fields so if you add any new fields please use a SPACE to separate your new fields. If you were to use a comma or tab then we may not be able to break up the fields correctly and this will result in incorrectly imported log lines or no importing at all.

As there are so many optional fields available to add to your logging it is important that you don't add similar fields. Adding duplicated information will result in increased log size, storage size, and processing time of any analysis. For example; if you already have a date time field such as the %L field then there is no reason to add the other date time fields %V, %v, or %t fields as they all will report the same time and/or date information.

We would recommend the use of the %L date time field over that of the default %t date time field as the %L field gives you your local date and time without the need for adjusting the time offset feature in Vantage when importing your data. It also logs adjusted times for daylight savings meaning once again you wont need to adjust the time offset feature when importing your data.

Adding some custom fields to the default fields
We would recommend adding the following fields:
#Fields: %L %B %g %R %XF
%L = local date and time field that also adjusts to day light savings hours.
%B = total bytes sent and received.
%g = Authorized group names.
%R = (Depending on version: also known as %<Referer: or %<Referrer:); Referrer information if available.
%XF = Full name of the URL category

These extra custom fields combined with the existing default fields will allow you to achieve better reporting and analysis of your log data. Please see our Modern Reporting blogs for further information (found here).

Starting from scratch (turning off the default logging fields if the option is available)
If you are interested in reporting in the way suggested in our Modern Reporting blogs (found here). Then you will require the following fields;
#Fields: %L %e %a %k %B %A %w/%h %s %q %g %p %R %c %XF %Y
%L  = local date and time field that also adjusts to day light savings hours.
%e  = Elapsed time (duration)
%a  = Client IP Address
%k = Data source IP address (server IP address)
%B = total bytes sent and received
%A = cs-username which is the Authenticated user name
%w/%h  = Result code and the HTTP response code, with a slash (/) in between
%s = Response size (header + body)

%q = Request size (headers + body)
%g = Authorized group names.
%p = Protocol, including the version number when applicable
%R = (Depending on version: also known as %<Referer: or %<Referrer:); Referrer information if available.
%c = Response body MIME type.
%XF = Full name of the URL category
%Y = Full URL

For a full list of available fields please see your IronPort documentation.

I hope this was helpful. :)

Contact Us

seconds ago
a minute ago
minutes ago
an hour ago
hours ago
a day ago
days ago
Invalid characters found