topic Re: url field in cutom log format ? in General Topics

url field in cutom log format ?

Karl — Thu, 11 Oct 2012 14:55:39 GMT

Hi all,

I'm trying to customize the log forward to my Syslog.

In syslog server profile / custom log format / threat, I definitely not succeed in finding the right field where visited website urls are stored !

If somebody have an idea ?

Regards,

Karl

Re: url field in cutom log format ?

ppatel — Thu, 11 Oct 2012 16:07:59 GMT

Hi Karl,

Under custom log format in syslog profiles for threat, there is no URL field. However, as seen below, 'src' and 'dst' field highlighted below should be the source address and the destination address.

When compared to Monitor > Logs > Threat logs, source address would be "attacker" and the destination address would be the "victim". There is a checkbox "Resolve hostname" in the web UI, which will resolve the ip-addresses. However this is restricted to just the firewall.

When you export it to syslog, I believe only the ip-addresses will show up for the threat logs and not the URLs.

Let me know if this explanation helps.

Regards

Parth

Re: url field in cutom log format ?

sdurga — Thu, 11 Oct 2012 17:39:24 GMT

Hi,

You have to export the informational level threat logs to syslog in order to get the URL logs, having said that if you use the default syslog format then you will get all the fields including the URL field you are looking for as shown below.

You can see the URL www.evernote.com in the above pic. With regards to custom format, Try exporting only $category and $domain in order to get only URL's and their category in the syslog.

Re: url field in cutom log format ?

sdurga — Thu, 11 Oct 2012 18:18:29 GMT

Tested this on my box and works as expected

Let us know if u need more info.

Tx,

Sandeep T

Re: url field in cutom log format ?

Karl — Fri, 12 Oct 2012 09:07:45 GMT

Hi,

On my box runnig v4.1.7, the field $domain always returns value 1

Finaly I found that urls are stored in filed $misc !!!

By the way, I noticed that urls on port 80 are stored entirely, whereas for the urls on port https 443 only the left part is stored

Oct 12 11:01:13 business-and-economy 1 "batellerie.org/images/thumbs/logo_site_batellerie_org.png" (port 80) -> works fine

Oct 12 11:01:47 social-networking 1 "3-ect.channel.facebook.com/" (port 443) -> nothing after the slash

Regards,

Karl

Re: url field in cutom log format ?

sdurga — Fri, 12 Oct 2012 15:25:38 GMT

This is expected behavior, URL's for the port 443 is derived from the certificate common name, because it is an SSL connection so we do not have the visibility into http get requests so we make use of the SSL certificate common name for finding the website name.

Tx,

Sandeep T

Re: url field in cutom log format ?

Karl — Mon, 15 Oct 2012 15:16:19 GMT

Hi,

Thanks for your answer. Do you think that with a decryption policy enabled, the entire url would be displayed ?

Regards,

Karl