cancel
Showing results for 
Search instead for 
Did you mean: 
jemer
Level 7

entries in multiple logfiles

hi,

there is something i don't understand in the loghandler.

I've an access.log where anything is written to.

Now i want a rule where a specific URL should be written to a specific logfile and not to the access.log.

So i build a rule which contains the following and push it as the top log rule:

Rule criteria:

URL that matches *feeds.store.ovi.com*

Action:

stop rule set

Events: 

Set User-Defined.logLine cleanup 2 = DateTime.ToWebReporterString + " "" + Authentication.UserName + "" " + String.ReplaceIfEquals (IP.ToString (Client.IP), "", "-") + " " + String.ReplaceIfEquals (Number.ToString (Response.StatusCode), "", "-") + " "" + Request.Header.FirstLine + "" " + """ + List.OfCategory.ToString (URL.Categories) + "" "" + String.ReplaceIfEquals (URL.ReputationString, "", "-") + "" "" + MediaType.ToString (MediaType.FromHeader) + "" " + String.ReplaceIfEquals (Number.ToString (BytesToClient), "", "-") + " "" + Header.Request.Get ("User-Agent") + "" "" + List.OfString.ToString (Antimalware.VirusNames) + "" "" + Number.ToString (Block.ID) + """ 

FileSystemLogging.WriteLogEntry (User-Defined.logLine cleanup 2)

the user-defined.logLine cleanup 2 contains the name of the specific logfile (access-cleanup.log).

Now the problem:

with my browser i go to http://feeds.store.ovi.com to test it and the URL is rewritten by the webserver to http://web.feeds.store.ovi.com (should match by *feeds.store.ovi.com*, "edit criteria test" says it does)

I get entries in the logfile access-cleanup.log, but after a few seconds there are entries in the access.log too.

Access-cleanup contains feeds.store.ovi.com and web.feeds.store.ovi.com, access.log only contains web.feeds.store.ovi.com entries.

Now the question:

Where is my mistake?

best regards

Jens

0 Kudos
5 Replies
eelsasser
Level 15

Re: entries in multiple logfiles

Don't have an action for Stop Rule Set. Change the action to Continue, so the rules below it will log in the access.log.

You may also want to chante the condition to

URL.Host matches "*feeds.store.ovi.com"

Don't scan the whole URL, just the Host.

0 Kudos
jemer
Level 7

Re: entries in multiple logfiles

with "continue" as action, i've the same entries in both logfiles, but anything that matches the URL.Host should be written to the access-cleanup.log instead of the access.log

0 Kudos
eelsasser
Level 15

Re: entries in multiple logfiles

Ahhh. "Instead of".

Still, the change to URL.Host should help instaed of URL.

0 Kudos
jemer
Level 7

Re: entries in multiple logfiles

its not working, i've still entries in both logfiles.

0 Kudos
eelsasser
Level 15

Re: entries in multiple logfiles

Well. It looks like something in the logic and sequence of log handler rules.

Export and post your Default Log Handler rule set to look at.

0 Kudos