Hi Karl,
Under custom log format in syslog profiles for threat, there is no URL field. However, as seen below, 'src' and 'dst' field highlighted below should be the source address and the destination address.
When compared to Monitor > Logs > Threat logs, source address would be "attacker" and the destination address would be the "victim". There is a checkbox "Resolve hostname" in the web UI, which will resolve the ip-addresses. However this is restricted to just the firewall.
When you export it to syslog, I believe only the ip-addresses will show up for the threat logs and not the URLs.
Let me know if this explanation helps.
Regards
Parth
Hi,
You have to export the informational level threat logs to syslog in order to get the URL logs, having said that if you use the default syslog format then you will get all the fields including the URL field you are looking for as shown below.
You can see the URL www.evernote.com in the above pic. With regards to custom format, Try exporting only $category and $domain in order to get only URL's and their category in the syslog.
Tested this on my box and works as expected
Let us know if u need more info.
Tx,
Sandeep T
Hi,
On my box runnig v4.1.7, the field $domain always returns value 1 
Finaly I found that urls are stored in filed $misc !!!
By the way, I noticed that urls on port 80 are stored entirely, whereas for the urls on port https 443 only the left part is stored
Oct 12 11:01:13 business-and-economy 1 "batellerie.org/images/thumbs/logo_site_batellerie_org.png" (port 80) -> works fine
Oct 12 11:01:47 social-networking 1 "3-ect.channel.facebook.com/" (port 443) -> nothing after the slash
Regards,
Karl
