Views:
You can modify the Content format field in the Access Syslog Server Profile to customize which entries in the access logs are sent to the syslog server. Use the following configuration parameters when modifying this field.
Note
Note
Configuration parameters that have the format {text}h represent keys that are HTTP headers, which are below the URL. HTTP headers are used by clients and servers to pass additional information with requests and responses.

Access Syslog Server Profile - Content Format Parameters

Key Name
Configuration Parameters
Description
recv_request_begin
{recv_request_begin}
The time (UTC) that the first package in the request was received.
recv_request_end
{recv_request_end}
The time (UTC) that the last package in the request was received.
send_request_begin
{send_request_begin}
The time (UTC) that the first package in the request was sent.
send_request_end
{send_request_end}
The time (UTC) that all packages in the request were sent.
recv_response_begin
{recv_response_begin}
The time (UTC) that the first package in the response was received.
recv_ response _end
{recv_response_end}
The time (UTC) that all packages in the response were received.
send_response_begin
{send_response_begin}
The time (UTC) that the first package in the response was sent.
send_response_end
{send_response_end}
The time (UTC) that all packages in the response were sent.
handle_time
{handle_time}
The time (milliseconds) it took for Deep Discovery Web Inspector to handle one transaction.
request_handle_time
{request_handle_time}
The time (milliseconds) it took for Deep Discovery Web Inspector to handle the request for one transaction.
response_handle_time
{response_handle_time}
The time (milliseconds) it took for Deep Discovery Web Inspector to handle the response for one transaction.
refer
{referer}h
Key is HTTP header.
location
{location}h
Key is HTTP header.
user-agent
{user-agent}h
Key is HTTP header.
host
{host}h
Key is HTTP header.
content-length
{content-length}h
Key is HTTP header.
content-type
{content-type}h
Key is HTTP header.
x-forwarded-for
{x-forwarded-for}h
Key is HTTP header.
content-encoding
{content-encoding}h
Key is HTTP header.
accept-encoding
{accept-encoding}h
Key is HTTP header.
content-disposition
{content-disposition}h
Key is HTTP header.
x-requested-with
{x-requested-with}h
Key is HTTP header.
connection
{connection}h
Key is HTTP header.
proxy-connection
{proxy-connection}h
Key is HTTP header.
x-authenticated-user
{x-authenticated-user}h
Key is HTTP header.
method
{method}h
Key is HTTP header.
path
{path}h
Key is HTTP header.
scheme
{scheme}h
Key is HTTP header.
status_code
{status_code}h
Key is HTTP header.
log_type
{log_type}
Fixed value is 1, which means access log.
company_id
{company_id}
Company ID
Reserved, value is default
ad_domain
{ad_domain}
Active Directory domain
Example: trendnet.org
user_name
{user_name}
Client IP
Example: 10.204.171.200
group_name
{group_name}
Active Directory group name
Example: sales
department
{department}
Active Directory department
Example: commercial
device
{device}
Device
Reserved, default null
app
{app}
Protocol channel
Can be one of the following values:
  • 1: HTTP
  • 2: HTTPS
  • 3: HTTP2
  • 4: FTP
tls_version
{tls_version}
TLS version
Can be one of the following values:
  • 0: None TLS
  • 1: SSLv3
  • 2: TLSv1.0
  • 3: TLSv1.1
  • 4: TLSv1.2
size
{size}
Transport bytes by Deep Discovery Web Inspector, unit bytes
Example: 15
dst
{dst}
Destination IP address of request
Example: 54.148.125.151
src
{src}
Source IP address of request
Example: 10.204.171.200
upstream_size
{upstream_size}
The upstream payload from Deep Discovery Web Inspector to server, unit bytes
Example: 54
downstream_size
{downstream_size}
The downstream payload from server to Deep Discovery Web Inspector, unit bytes
Example: 49
domain
{domain}
Domain
Example: ca95-1.winshipway.com
tech_type
{tech_type}
Detection type
Example: 70
tech_sub_type
{tech_sub_type}
Detection sub-type
Reserved, default 0
threat_type
{threat_type}
Threat type
  • 1: Ransomware
  • 2: C&C Callback
  • 3: Suspicious Malware
  • 4: Suspicious URLs
  • 5: Suspicious Documents
  • 6: Suspicious Scripts
  • 7: Malicious URL
  • 8: Malicious Content
  • 9: Suspicious Content
  • 10: Coin Miners
severity
{severity}
Risk level
  • 0: user defined
  • 1: low
  • 2: medium
  • 3: high
  • 4: Potential Threat
policy_name
{policy_name}
Policy name
Example: test
profile_name
{profile_name}
Profile name
Reserved, currently displays as default
wrs_threshold
{wrs_threshold}
WRS threshold
Value is set to 50
principal_name
{principal_name}
Principal name
Reserved, default is null
request
{request}
URL
Example: hxxp://ca95-1.winshipway.com/
cat
{cat}
URL category
Example: Ransomware
app_name
{app_name}
Application name
Reserved, default is null
wrs_score
{wrs_score}
WRS score
Example: 81
malware_type
{malware_type}
Malware type
Reserved, default 0
malware_name
{malware_name}
Malware name
Example: Ransomware
so_data
{so_data}
Suspicious object displayed on the Deep Discovery Web Inspector Detections page
Can be one of the following types:
  • Domain
  • URL
  • Server IP
  • File SHA1
fname
{fname}
File name
Example: a.txt
filehash
{filehash}
SHA1
Example: 0d3d4cdfff683b0c17843a889e867fe29095c3ac
act
{act}
Action
Can be one of the following values:
  • allow
  • monitor
  • block
  • warning
  • analyzing
msg
{msg}
Log description
Value is null
rt
{rt}
UTC timestamp
Example: Oct 20 2017 17:15:57 GMT+00:00
local_addr
{local_addr}
The Deep Discovery Web Inspector management console IP address.
Keywords: syslog server profile,content format parameters,for syslog server profile, content format