Hi Tom, I know, that's what I'm asking about. The issue is that that single line is really 2 requests joined together in one log file line. If you look starting at the beginning of the line everything is cool until you get to the uri column, right after the TCP GET. Instead of a url part of a client useragent appears followed by the the rest of a separate request. In other words, the first 18 fields of the first request are joined with the last 22 fields of the next request and written to one single line in the log file. -Shawn -----Original Message----- From: Thomas W. Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx] Sent: Thursday, March 07, 2002 3:03 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Funkiness in W3C Extended Format Log File http://www.ISAserver.org Hi Shawn, The 407 indicates that authentication was required but not received. HTH, Tom -----Original Message----- From: Quillman Shawn (RBNA/CIT5) [mailto:Shawn.Quillman@xxxxxxxxxxxx] Sent: Thursday, March 07, 2002 11:15 AM To: [ISAserver.org Discussion List] Subject: [isalist] Funkiness in W3C Extended Format Log File http://www.ISAserver.org Hi Experts Out There (ie- Tom and Jim :), I'm writing a w3c -> isa log format converter and have noticed something odd in a w3c format log file for the web proxy service (running only in cache mode so can't check the firewall log). Basically, there are two lines merged into one with fields lost in each (I log all fields). I think there are possibly 27 of these in a file of 488852 lines. Here is an example: 10.24.145.105 anonymous Mozilla/4.0 (compatible; MSIE 5.0; Windows NT) N 2001-11-26 13:49:28 w3proxy FHISA01 - m1.maps.yahoo.com - 80 - - 3201 http TCP GET T 5.0) N 2001-11-26 13:49:15 w3proxy FHISA01 - www1.netquote.com - 443 - - 754 SSL-tunnel TCP CONNECT - - - 407 - - - It looks like the first line gets cut right before the uri field of the first line and joined with the the next line starting part way into the useragent field. In this case the useragent in the "second" line seems to be IE5.01 on W2K (Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)) or something similar. Looking at the activity around that area in the log, there doesn't seem to be anything abnormal in the way of malformed requests or anything. I discovered it after my conversion script had run on the file and I tried to do an analysis on the resulting isa format file using WebTrends Firewall Suite 4.0. WebTrends successfully analysed the new file but reported 27 instances of date and time being out of order. Any ideas? Think it may be a bug in ISA? I don't see anything related in the sp1 bug fix list. Call Microsoft? -Shawn > ____________________ > > Shawn R. Quillman > Robert Bosch Corporation AN-Fh/CIT5 > 38000 Hills Tech Drive > Farmington Hills, MI 48331 > (248) 553-1164 (P) (248) 848-2855 (F) > shawn.quillman@xxxxxxxxxxxx > ____________________ > ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: shawn.quillman@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')