Table of Contents
Lire supports three different proxy log files format allowing it to support a wide range of products.
That product uses a format derived from the W3C Extended Log Format which is defined at http://www.w3.org/TR/WD-logfile.html. Information about the way Microsoft Internet Security and Acceleration Server uses that format can be found on the product's website.
The format of
Lire can use the following fields of the format: date, time, c-ip, c-host, cs-username, c-agent, time-taken, r-ip, r-host, sc-status, sc-protocol, sc-operation, s-object-source, sc-operation, rule#1, rule#2 and cs-mime-type. The other fields will be ignored.
Example 12.1. Microsoft Internet Security and Acceleration Server Log Sample
#Software: Microsoft(R) Internet Security and Acceleration Server 2000 #Version: 1.0 #Date: 2002-01-16 07:00:01 #Fields: c-ip cs-username c-agent date time s-computername \ cs-referred r-host r-ip r-port time-taken cs-bytes\ sc-bytes cs-protocol s-operation cs-uri s-object-source \ sc-status 10.0.0.1 anonymous Mozilla/4.0 (compatible; MSIE 5.0; Win32)\ 2002-01-16 07:00:01 GRO1SYX01 - - - -\ - 155 2569 - GET - - 200 \ 10.0.0.1 anonymous Outlook Express/5.0 \ (MSIE 5.0; Windows 98; DigExt) 2002-01-16 07:00:04 \ GRO1SYX01 - 1.example.com
Lire can process native Squid's access log.
Example 12.2. Squid Log Sample
1011164724.171 1337 10.0.0.1 TCP_MISS/200 20110 GET \ http://images.google.com/images? - DIRECT/10.0.0.2 text/html 1011164724.965 740 10.0.0.1 TCP_MISS/200 26461 GET \ http://www.ia.hiof.no/informatikk/forelesning/historie/historie.html \ - DIRECT/10.0.0.3 text/html 1011164727.626 2580 10.0.0.1 TCP_MISS/200 111927 GET \ http://www.ia.hiof.no/informatikk/forelesning/historie/transistor.jpg \ - DIRECT/10.0.0.3 image/jpeg 1011164731.619 687 10.0.0.1 TCP_MISS/200 18191 GET \ http://images.google.com/images? - DIRECT/10.0.0.2 text/html 1011164734.972 3282 10.0.0.1 TCP_MISS/200 29595 GET \ http://www.hillnews.com/restaurants/rst_tosca.shtm - \ DIRECT/10.0.0.4 text/html 1011164735.482 467 10.0.0.1 TCP_MISS/200 7839 GET \ http://www.hillnews.com/global/banner_logo.gif - \ DIRECT/10.0.0.4 image/gif 1011164740.163 1004 10.0.0.1 TCP_MISS/200 19580 GET \ http://images.google.com/images? - DIRECT/10.0.0.2 text/html 1011164741.905 1687 10.0.0.1 TCP_MISS/200 17383 GET \ http://www.charlotteregional.com/speech.html - DIRECT/10.0.0.5 text/html 1011164742.214 275 10.0.0.1 TCP_MISS/200 8001 GET \ http://www.charlotteregional.com/images/st2.jpg - \ DIRECT/10.0.0.5 image/jpeg 1011164745.891 716 10.0.0.1 TCP_MISS/200 18796 GET \ http://images.google.com/images? - DIRECT/10.0.0.2 text/html
The WELF format is a format developed by WebTrends and supported by many firewall vendors. Products can save log files in that format directly or can log through syslog. Lire either native WELF log file or syslog's log files contains WELF information. This format can be used by packet filters firewall, proxies or network intrusion detection devices. Lire will only process records that are related through proxy services (either application proxy like a web proxy or a transport proxy like for the telnet protocol).
Example 12.3. WELF Log Sample
WTsyslog[1998-08-01 00:04:11 ip=10.0.0.1 pri=6] id=firewall \ time="1998-08-01 00:08:52" fw=WebTrendsSample pri=6 proto=http \ src=10.0.0.2 dst=10.0.0.3 dstname=1.example.com \ arg=/selfupd/x86/en/WULPROTO.CAB op=GET result=304 sent=898 WTsyslog[1998-08-01 00:04:12 ip=10.0.0.1 pri=6] id=firewall \ time="1998-08-01 00:08:52" fw=WebTrendsSample pri=6 proto=http \ src=10.0.0.2 dst=10.0.0.3 dstname=1.example.com \ arg=/selfupd/x86/en/CUNPROT2.CAB op=GET result=304 sent=853 WTsyslog[1998-08-01 00:04:23 ip=10.0.0.1 pri=6] id=firewall \ time="1998-08-01 00:09:03" fw=WebTrendsSample pri=6 proto=http \ src=10.0.0.2 dst=10.0.0.3 dstname=1.example.com \ arg=/R510/v31content/90820/0x00000409.gng op=GET result=304 sent=2983 WTsyslog[1998-08-01 03:02:03 ip=10.0.0.1 pri=6] id=firewall \ time="1998-08-01 03:06:43" fw=WebTrendsSample pri=6 proto=http \ src=10.0.0.2 dst=10.0.0.4 dstname=2.example.com arg=/ op=POST \ result=200 sent=2195 WTsyslog[1998-08-01 16:25:33 ip=10.0.0.1 pri=6] id=firewall \ time="1998-08-01 06:30:09" fw=WebTrendsSample pri=6 proto=http \ src=10.0.0.5 dst=10.0.0.6 dstname=3.example.com \ arg=/portal/brand/images/logo_pimg.gif op=GET result=304 rcvd=1036