4 Replies Latest reply on May 9, 2013 11:19 AM by itsec

    access_denied.log headers

    itsec

      Hi, I have been looking at adding headers for our access_denied.logs which are sent out to SIEM.  I've managed to match up the following but there are a few fields which I'm not sure what they correspond to - I've called these 'tba_'. 

      Fields in list format are below.  Can anyone help?

       

      #time_stamp

      system_hostname

      auth_user

      src_ip

      dst_ip

      url_host

      status_code

      media_type

      bytes_to_client

      bytes_from_client

      req_line

      categories

      rep_level

      tba_1

      current_ruleset_and_rulename

      block_reason_ID

      block_res

      tba_2

      virus_name

      tba_3

      app_rep_level

      application_name

      url

      user_agent

       

        • 1. Re: access_denied.log headers
          sroering

          Keep in mind that the header has no relation to the log body, so you could put anything in the header that you wanted.  But if you want to know what it would map to, then you look to look at the log writing rule.  This is the default rule.

           

          access_denied_log.png

          • 2. Re: access_denied.log headers
            itsec

            yes, that's what I'm trying to do.  I thought I had a default access_denied.log but my entries look different - possibly b/c of the version I'm running - 7.3.0 (13875)?

            my entries in the log wrinting rule look like:

            tba_1                                   String.ReplaceIfEquals (Number.ToString (Number), "", "-")  

            tba_2                                   String.ReplaceIfEquals (Boolean.ToString (Boolean), "", "-")

            tba_3                                   String.ReplaceIfEquals (Boolean.ToString (Boolean), "", "-")

                          

            So I didn't have any idea what to map against.  The values in your entry make sense!

            Thanks!

            • 3. Re: access_denied.log headers
              andyclements

              On my 7.3.2 system they show as:

              tba1     Number.ToString (URL.Reputation)

              tba2     Boolean.ToString (Antimalware.Infected)

              tba3     Boolean.ToString (Body.Modified)

               

              If I drill down through the edit of each rule they eventually displayed as Number.ToString(Number), but on the rule set page they are shown the same as in sroering's screen shot.  Try opening each line up, they should tell you what the Number or Boolean is referring to.  It may be a version thing, as the current controlled release is a few versions past where you are.

              • 4. Re: access_denied.log headers
                itsec

                I thought I had drilled down...obv not far enough as lo and behold when I do go into it the final parameter propery page I see does indeed show the value. 

                cool, ya learn something new etc etc...