Access Log format ?

nic-dteam · ‎05-06-2010

Looking at the following log sample (Apache format Access Logs) and the bolded section contained between the <>:

1.1.1.1 - - "16/Feb/2010:11:58:55 +1100" GET http://www.testsite.com 304 0 TCP_CLIENT_REFRESH_MISS:DIRECT 7ms DEFAULT_CASE-DefaultGroup-DefaultGroup-NONE-DefaultRouting <Shop,5.0,0,,,,,,,,,,,,> - 2.2.2.2 80 "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2; eMusic DLM/4)" "Shopping"

This particular log sample has 15 fields between the <>. Every other log sample I've seen has 17 fields between the <>. So my question is, why would this happen? Is there some configuration on the Ironport itself that would modify this part of the logs? I know what some of those particular fields contain but is there a breakdown for what all those fields contain?

tidavids · ‎05-08-2010

This portion of the accesslog contains both the web category as well as the response from the various DVS engines. The actual fields will vary depending on the features/code that is installed. For example, in the upcoming 7.0 code there are several new fields to as a result of AVC (Application Visibility Control). Similarly, when Cisco Web Usage Controls are enabled there are additional fields which note dynamically learned content.

The best reference for each specific field, including between the <>'s, is the user guide which can be downloaded from the Cisco/IronPort Customer Support Portal.