FAQ

What are the required Main HTTP(s) access log fields for optimal performance using Blue Coat Reporter.

FAQ ID:    FAQ282
Version:    12.0
Status:    Published
Published date:    07/28/2009
Updated:    08/17/2011
 

Answer

The Reporter software expects to see these fields in the access log, for accuracy of reporting , and efficiency. Bluecoat recommends using logs that conform to ELFF standards and only contain these fields.

Using a Secure Gateway appliance from Bluecoat, you can choose these named access logs to ensure your HTTP and HTTPS access logs conform:

  • For main HTTP logs, choose the access log named bcreportermain_V1
  • For main HTTPS logs, choose the access log named bcreporterssl_v1
  • For video streaming activity we can now choose bcreporterstreaming_v1  (only avaiable in SGOS 6.2.X releases and later).

On occasion, you may want to create your own access logs, so to ensure you have trouble free reporting , I have outlined below what these fields are below:

 The fields in HTTP main logs:

date time time-taken c-ip cs-username cs-auth-group x-exception-id cs-categories cs(Referer) sc-status s-action cs-method rs(Content-Type) cs-uri-scheme cs-host cs-uri-port cs-uri-path cs-uri-query cs-uri-extension cs(User-Agent) sc-filter-result s-ip sc-bytes cs-bytes x-virus-id x-exception-category.

NOTE: To capture application related activity on social networking sties, we have two new fields in the latest SGOS 6.2.X releases on the HTTP Main log.

date time time-taken c-ip cs-username cs-auth-group x-exception-id sc-filter-result cs-categories cs(Referer)  sc-status s-action cs-method rs(Content-Type) cs-uri-scheme cs-host cs-uri-port cs-uri-path cs-uri-query cs-uri-extension cs(User-Agent) s-ip sc-bytes cs-bytes x-virus-id x-bluecoat-application-name x-bluecoat-application-operation.

The fields in HTTPS main logs:

date time time-taken c-ip cs-username cs-auth-group x-exception-id sc-filter-result cs-categories sc-status s-action cs-method rs(Content-Type) cs-uri-scheme cs-host cs-uri-port cs-uri-extension cs(User-Agent) s-ip sc-bytes cs-bytes x-virus-id x-rs-certificate-observed-errors x-cs-ocsp-error x-rs-ocsp-error x-rs-connection-negotiated-cipher-strength x-rs-certificate-hostname x-rs-certificate-hostname-category

The fields in the Proxy Client access logs:

date time c-ip cs-username x-cs-auth-domain c-computername x-exception-id cs-categories cs-categories-exception cs(Referer) cs-method cs-uri-scheme cs-host cs-uri-port cs-uri-path cs-uri-query cs-uri-extension cs(User-Agent) r-ip
#Date: "2009-11-18 18:49:19"

The fields in the new video streaming logs- bcreporterstreaming_v1:

date time time-taken c-ip sc-status s-action sc-bytes rs-bytes cs-method cs-uri-scheme cs-host cs-uri-port cs-uri-path cs-uri-query cs-username cs-auth-group cs(Referer) cs(User-Agent) c-starttime filelength filesize avgbandwidth x-rs-streaming-content x-streaming-rtmp-app-name x-streaming-rtmp-stream-name x-streaming-rtmp-swf-url x-streaming-rtmp-page-url s-ip s-dns s-session-id x-cache-info

While Bluecoat does not recommend varying away from the lists provided above , here is a list of why some fields are are, perhaps, more essential than others.

For core databases functionality:

 cs-host, sc-status, cs-uri-scheme

For the Page view combiner feature ( PVC): 

cs(Referer) or x-cs(Referer)-uri

x-exception-id, (or sc-filter-result),

sc-filter-category, cs-category, or cs-categories

 

 For Dashboard reports that are  configured by default:

cs-username, cs-user, x-cache-user, cs-userdn, x-radius-splash-username, or x-cs-session-username

Note: We only need one of the user based fields.  

 When using HTTPS Main logs:

x-rs-certificate-observed-errors (Certificate Error)

x-rs-certificate-hostname (Cert Svr Domain)
x-rs-certificate-hostname-category (Certificate Category)

x-rs-connection-negotiated-cipher-strength (Cipher Strength)

NOTE1:  CIFS access log support was discontinued in Bluecoat Reporter 9.1.x versions.

NOTE2:  Even though the x-exception-category appears in the access log above, it  is not a db field we store in reporter.  We read it from the logs and use it instead of the sc-filter-category in certain cases  In some older versions of SG operating systems- read version 4- the x-exception-category does not exist.

NOTE3:  For a list of what access log types, Reporter does NOT support, please see FAQ765

NOTE4:  For more detailed information on how we user the x-virus-id field, see KB3967

NOTE5: For more detailed information on how we use the cs-bytes, and sc-bytes fields, see KB3989

NOTE6: For more detailed information on how we use the sc-filter-result field, see KB1790

NOTE7: For full functionality, Blue Coat Web Filter ( BCWF) needs to be enabled in your SG appliance configuration.  

  • Without BCWF enabled you will not see the cs-categories field populated, and consequently you will not be able to fully populate any report that contains category data.
  • Without BCWF enabled you will not see  data any Web Search Reports.  Web searches reports were included in version 9.2.x release of Reporter.  For more information on these reports, see KB3786

Rate this Page

Please take a moment to complete this form to help us better serve you.

Did this document help answer your question?
 
 
If you are finished providing feedback, please click the RATE CONTENT button. Otherwise, please add more detail in the following text box and then click RATE CONTENT.
 
 

Your response will be used to improve our document content.

Ask a Question