cancel
Showing results for 
Search instead for 
Did you mean: 
itsec
Level 7

access_denied.log headers

Jump to solution

Hi, I have been looking at adding headers for our access_denied.logs which are sent out to SIEM.  I've managed to match up the following but there are a few fields which I'm not sure what they correspond to - I've called these 'tba_'. 

Fields in list format are below.  Can anyone help?

 

#time_stamp

system_hostname

auth_user

src_ip

dst_ip

url_host

status_code

media_type

bytes_to_client

bytes_from_client

req_line

categories

rep_level

tba_1

current_ruleset_and_rulename

block_reason_ID

block_res

tba_2

virus_name

tba_3

app_rep_level

application_name

url

user_agent

0 Kudos
1 Solution

Accepted Solutions
sroering
Level 13

Re: access_denied.log headers

Jump to solution

Keep in mind that the header has no relation to the log body, so you could put anything in the header that you wanted.  But if you want to know what it would map to, then you look to look at the log writing rule.  This is the default rule.

access_denied_log.png

0 Kudos
4 Replies
sroering
Level 13

Re: access_denied.log headers

Jump to solution

Keep in mind that the header has no relation to the log body, so you could put anything in the header that you wanted.  But if you want to know what it would map to, then you look to look at the log writing rule.  This is the default rule.

access_denied_log.png

0 Kudos
itsec
Level 7

Re: access_denied.log headers

Jump to solution

yes, that's what I'm trying to do.  I thought I had a default access_denied.log but my entries look different - possibly b/c of the version I'm running - 7.3.0 (13875)?

my entries in the log wrinting rule look like:

tba_1                                   String.ReplaceIfEquals (Number.ToString (Number), "", "-")  

tba_2                                   String.ReplaceIfEquals (Boolean.ToString (Boolean), "", "-")

tba_3                                   String.ReplaceIfEquals (Boolean.ToString (Boolean), "", "-")

              

So I didn't have any idea what to map against.  The values in your entry make sense!

Thanks!

0 Kudos
andyclements
Level 12

Re: access_denied.log headers

Jump to solution

On my 7.3.2 system they show as:

tba1     Number.ToString (URL.Reputation)

tba2     Boolean.ToString (Antimalware.Infected)

tba3     Boolean.ToString (Body.Modified)

If I drill down through the edit of each rule they eventually displayed as Number.ToString(Number), but on the rule set page they are shown the same as in sroering's screen shot.  Try opening each line up, they should tell you what the Number or Boolean is referring to.  It may be a version thing, as the current controlled release is a few versions past where you are.

0 Kudos
itsec
Level 7

Re: access_denied.log headers

Jump to solution

I thought I had drilled down...obv not far enough as lo and behold when I do go into it the final parameter propery page I see does indeed show the value. 

cool, ya learn something new etc etc...

0 Kudos