RE: Funkiness in W3C Extended Format Log File
- From: "Quillman Shawn (RBNA/CIT5)" <Shawn.Quillman@xxxxxxxxxxxx>
- To: "'[ISAserver.org Discussion List]'" <isalist@xxxxxxxxxxxxx>
- Date: Thu, 7 Mar 2002 15:22:43 -0500
Hi Tom,
I know, that's what I'm asking about. The issue is that that single line is
really 2 requests joined together in one log file line. If you look
starting at the beginning of the line everything is cool until you get to
the uri column, right after the TCP GET. Instead of a url part of a client
useragent appears followed by the the rest of a separate request. In other
words, the first 18 fields of the first request are joined with the last 22
fields of the next request and written to one single line in the log file.
-Shawn
-----Original Message-----
From: Thomas W. Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx]
Sent: Thursday, March 07, 2002 3:03 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Funkiness in W3C Extended Format Log File
http://www.ISAserver.org
Hi Shawn,
The 407 indicates that authentication was required but not received.
HTH,
Tom
-----Original Message-----
From: Quillman Shawn (RBNA/CIT5) [mailto:Shawn.Quillman@xxxxxxxxxxxx]
Sent: Thursday, March 07, 2002 11:15 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] Funkiness in W3C Extended Format Log File
http://www.ISAserver.org
Hi Experts Out There (ie- Tom and Jim :),
I'm writing a w3c -> isa log format converter and have noticed something
odd
in a w3c format log file for the web proxy service (running only in
cache
mode so can't check the firewall log). Basically, there are two lines
merged into one with fields lost in each (I log all fields). I think
there
are possibly 27 of these in a file of 488852 lines. Here is an example:
10.24.145.105 anonymous Mozilla/4.0 (compatible; MSIE 5.0;
Windows
NT) N 2001-11-26 13:49:28 w3proxy FHISA01 -
m1.maps.yahoo.com
- 80 - - 3201 http TCP GET T 5.0)
N
2001-11-26 13:49:15 w3proxy FHISA01 -
www1.netquote.com
- 443 - - 754 SSL-tunnel TCP CONNECT
-
- - 407 - - -
It looks like the first line gets cut right before the uri field of the
first line and joined with the the next line starting part way into the
useragent field. In this case the useragent in the "second" line seems
to
be IE5.01 on W2K (Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0))
or
something similar. Looking at the activity around that area in the log,
there doesn't seem to be anything abnormal in the way of malformed
requests
or anything. I discovered it after my conversion script had run on the
file
and I tried to do an analysis on the resulting isa format file using
WebTrends Firewall Suite 4.0. WebTrends successfully analysed the new
file
but reported 27 instances of date and time being out of order.
Any ideas? Think it may be a bug in ISA? I don't see anything related
in
the sp1 bug fix list. Call Microsoft?
-Shawn
> ____________________
>
> Shawn R. Quillman
> Robert Bosch Corporation AN-Fh/CIT5
> 38000 Hills Tech Drive
> Farmington Hills, MI 48331
> (248) 553-1164 (P) (248) 848-2855 (F)
> shawn.quillman@xxxxxxxxxxxx
> ____________________
>
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
shawn.quillman@xxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
Other related posts:
