FAQ

Why do access logs in NCSA format sometimes have the host name in a URL and other times it is missing?

FAQ ID:    FAQ539
Version:    1.0
Status:    Published
Published date:    10/13/2009
 

Answer

NCSA is a reserved access log format on the ProxySG that cannot be edited. The NCSA/Common format contains the following strings:

remotehost rfc931 authuser [date] "request" status bytes

The ELFF/custom access log format strings that represent the strings above are:

$(c-ip) - $(cs-username) $(localtime) $(cs-request-line) $(sc-status) $(sc-bytes)

The variable that displays the URL in the access log is "request" or "cs-request-line". This is the request line of the GET request sent by the client.  Since in a transparent proxy mode the host name is not present in the request line of the GET request but instead is only found in the host header, the
URL in the access logs will also not contain the host name. However, because it is present in an explicit proxy mode, the URL in the access logs will include the host name.

If you have access logs in NCSA format or any format that contains "cs-request-line" and you are seeing some entries with the host name and others without, it may be caused by having a mixed deployment mode environment (some users transparently intercepted and others explicitly). You will also see this difference if you move a proxy from one deployment mode to another.

If you are facing a problem with this as you have transparently intercepted users and need the logs to display the host name you can create a custom format on the ProxySG that consists of the ELFF format strings above and include "cs-host" which will display the host name of the request and associate log to this custom format. For more information on creating a custom access log see the Configuration Management Guide Volume 8 SGOS 5.x  or Chapter 20 for SGOS 4.x. (available at https://bto.bluecoat.com/documentation)

 


Rate this Page

Please take a moment to complete this form to help us better serve you.

Did this document help answer your question?
 
 
If you are finished providing feedback, please click the RATE CONTENT button. Otherwise, please add more detail in the following text box and then click RATE CONTENT.
 
 

Your response will be used to improve our document content.

Ask a Question