I have URL logging enabled on my ASA-5505, with a default HTTP fixup policy. URL log messages go to my syslog in this format:
2008-01-31T16:49:52-0600 <local4.notice> x.x.x.x %ASA-5-304001: y.y.y.y Accessed URL z.z.z.z:/index.html
This is exactly what I need, except when the page is cached by a web caching server. In this case, the ip address z.z.z.z is the address of the caching server, not the actual web server. Is there a way to log the "host" header field from the http packet, instead of the destination ip address specified in the tcp header? Isn't that what application inspection is for -- to get deeper into the packet than layer 3?