Looking at the following log sample (Apache format Access Logs) and the bolded section contained between the <>:
1.1.1.1 - - "16/Feb/2010:11:58:55 +1100" GET http://www.testsite.com 304 0 TCP_CLIENT_REFRESH_MISS:DIRECT 7ms DEFAULT_CASE-DefaultGroup-DefaultGroup-NONE-DefaultRouting <Shop,5.0,0,,,,,,,,,,,,> - 2.2.2.2 80 "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2; eMusic DLM/4)" "Shopping"
This particular log sample has 15 fields between the <>. Every other log sample I've seen has 17 fields between the <>. So my question is, why would this happen? Is there some configuration on the Ironport itself that would modify this part of the logs? I know what some of those particular fields contain but is there a breakdown for what all those fields contain?