url field in cutom log format ?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

url field in cutom log format ?

L1 Bithead

Hi all,

I'm trying to customize the log forward to my Syslog.

In syslog server profile / custom log format / threat, I definitely not succeed in finding the right field where visited website urls are stored !

If somebody have an idea ?

Regards,

Karl

6 REPLIES 6

L4 Transporter

Hi Karl,

Under custom log format in syslog profiles for threat, there is no URL field. However, as seen below, 'src' and 'dst' field highlighted below should be the source address and the destination address.

cu-log-frmt.PNG

When compared to Monitor > Logs > Threat logs,  source address would be "attacker" and the destination address would be the "victim". There is a checkbox "Resolve hostname" in the web UI, which will resolve the ip-addresses. However this is restricted to just the firewall.

resolve.PNG

When you export it to syslog, I believe only the ip-addresses will show up for the threat logs and not the URLs.

Let me know if this explanation helps.

Regards

Parth

L6 Presenter

Hi,

You have to export  the informational level threat logs to syslog in order to get the URL logs, having said that if you use the default syslog format then you will get all the fields including the URL field you are looking for as shown below.

Capture1.PNG

You can see the URL www.evernote.com in the above pic. With regards to custom format, Try exporting only $category and $domain in order to get only URL's and their category  in the syslog.Capture2.PNG

Tested this on my box and works as expected

Capture9.PNG

Let us know if u need more info.

Tx,

Sandeep T

L1 Bithead

Hi,

On my box runnig v4.1.7, the field $domain always returns value 1 Smiley Sad

Finaly I found that urls are stored in filed $misc !!!

By the way, I noticed that urls on port 80 are stored entirely, whereas for the urls on port https 443 only the left part is stored

Oct 12 11:01:13 business-and-economy 1 "batellerie.org/images/thumbs/logo_site_batellerie_org.png" (port 80) -> works fine

Oct 12 11:01:47 social-networking 1 "3-ect.channel.facebook.com/" (port 443) -> nothing after the slash

Regards,

Karl

This is expected behavior, URL's for the port 443 is derived from the certificate common name, because it is an SSL connection so we do not have the visibility into http get requests so we make use of the SSL certificate common name for finding the website name.

Tx,

Sandeep T

Hi,

Thanks for your answer. Do you think that with a decryption policy enabled, the entire url would be displayed ?

Regards,

Karl

  • 3692 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!