cancel
Showing results for 
Search instead for 
Did you mean: 

Logs functionality in MWG as ICAP Server

Hi.

I'm looking for the best configuration for logs information considering that my mwg is working as an ICAP Server. I have a squid doing the proxy function (icap client).

Besides that, is there any problem, with regard to logs, if mwg works in both reqmode and respmode?

Thanks in advance,

Fabio.

0 Kudos
3 Replies
McAfee Employee

Re: Logs functionality in MWG as ICAP Server

What version are you running?

When using MWG 6, you may need to check the boxes for REQMOD/RESPMOD, instead of Proxy gateway (see below):

loggingv6.png

In MWG 7, there shouldnt be anything you should need to do.

In terms of log file structure, I typically recommend the following format on MWG 6:

src_ip - "auth_user" time_stamp"req_line" status_code bytes_to_client "referer""user_agent" "attribute" block_res "media_type""profile" elapsed_time "virus_name" "categories"

In MWG 7, there shouldnt be anything you should need to do to the log format either.

Let me know if this helps,

Jon

0 Kudos

Re: Logs functionality in MWG as ICAP Server

Thank you Jon.

Your answer helps me. I'm using MWG 7.2.

Would you help me once more? There is an option called "bypass RESPmod for responses that must not contain a body" in Configuration > Appliances > nameofappliance > Proxies (HTTP(S), FTP, ICAP and IM), at the bottom of the page in Advanced Settings. What this option really does? In what circunstances?

Thanks,

Fabio.

0 Kudos
eelsasser
Level 15

Re: Logs functionality in MWG as ICAP Server

I'm not sure exactly, but here's what I think it does.

Sometimes a response code is defined by the RFC to never include body data int he response.

For example:

204 No Content

The 204 response MUST NOT include a message-body, and thus is always terminated by the first empty line after the header fields.

There are some applications that abuse the HTTP protocol and violate the RFC.

If MWG enforces strict RFC compliance, then it will break some applications.

In order to allow some of these violations we have to bypass this condition.

That's my best guess.

0 Kudos