Under custom log format in syslog profiles for threat, there is no URL field. However, as seen below, 'src' and 'dst' field highlighted below should be the source address and the destination address.
When compared to Monitor > Logs > Threat logs, source address would be "attacker" and the destination address would be the "victim". There is a checkbox "Resolve hostname" in the web UI, which will resolve the ip-addresses. However this is restricted to just the firewall.
When you export it to syslog, I believe only the ip-addresses will show up for the threat logs and not the URLs.
Let me know if this explanation helps.
You have to export the informational level threat logs to syslog in order to get the URL logs, having said that if you use the default syslog format then you will get all the fields including the URL field you are looking for as shown below.
You can see the URL www.evernote.com in the above pic. With regards to custom format, Try exporting only $category and $domain in order to get only URL's and their category in the syslog.
On my box runnig v4.1.7, the field $domain always returns value 1 :smileysad:
Finaly I found that urls are stored in filed $misc !!!
By the way, I noticed that urls on port 80 are stored entirely, whereas for the urls on port https 443 only the left part is stored
Oct 12 11:01:13 business-and-economy 1 "batellerie.org/images/thumbs/logo_site_batellerie_org.png" (port 80) -> works fine
Oct 12 11:01:47 social-networking 1 "3-ect.channel.facebook.com/" (port 443) -> nothing after the slash
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!