File format definition for full traffic logging

The log files downloaded from the cloud service are in JavaScript Object Notation (JSON) format. For more information about JSON, see http://www.json.org/.

Each log file contains multiple lines, with one request per line. Each line is enclosed in square brackets.

The following table describes the fields that comprise each request.

Field Description
DateAndTime The time that a request occurred on the proxy, in seconds in UNIX time.
AccountID The Forcepoint Web Security Cloud internal identifier for your account.
UserID The web user’s ID, usually their email address.
ClientIP

The client’s external Internet IP address, shown in integer format.

See Converting integer IP addresses to dot-decimal IPv4 format.
RequestCount The number of requests for a particular site. This will default to 1 per log entry.
RequestSize Size of the request in bytes.
ResponseSize Size of the response in bytes.
Disposition The disposition code of the request. For an explanation of the codes, see Disposition codes.
Categories A comma-separated list of category IDs. To see how the ID numbers relate to category names, go to https://sync-web.mailcontrol.com/hosted/categories?version=2. (Note that this URL is for logs generated with 2015 Release 1 and later. To see ID numbers and category names for logs generated prior to that release, go to https://sync-web.mailcontrol.com/hosted/categories.)
Protocol The protocol used in the request (for example HTTP, HTTPS, or FTP)
Port The port number used for the request.
DestinationIP

The IP of the requested address, shown in integer format.

See Converting integer IP addresses to dot-decimal IPv4 format.
URI The full URL of the page requested by the user.
AnalyticID

Defines the analytic applied to the request. Can be one of the following:

  • 1, 2 - Real-Time Security Scanning (RTSS)
  • 4, 5, 6 - Advanced Detection (AD)
  • 10 - Antivirus (AE)
  • 11 - Real-Time Classification (RTC)
  • 13 - Malicious iFrame Detection (MIDE)
  • 14 - Malicious PDF Detection (SPIE)
  • 15 - Advanced Secure Hash (ASH)
  • 18 - Meta-analytic Detection (ICE)
ReasonCode The reason code assigned to the request. For an explanation of the codes, see Reason codes.
ContentStripping This field is blank in this version of the log file.
ReasonString This is an internal signature ID string.
FileType One of the following groups: 'unknown', 'text', 'executable', 'image', 'multimedia', 'document', 'suspicious', 'archive', 'ria', 'mime'.
PolicyName Name of the policy used to filter the request.
ContentType Content-Type of the response. The default value is an empty string.
RemoteHost The host name of the origin server.
Method HTTP method used in the request.
ProxyTime The total delay, in milliseconds, due to filtering the transaction through the proxy.
OriginTime The time taken, in milliseconds, to receive the request from the origin server.
ResponseTime The total response time for the transaction, in milliseconds.