Understanding TestLogServer output
When you run TestLogServer, the output includes the following information, if available.
| Field | Description |
|---|---|
| Log Source | The component that sent the Internet request to Filtering Service |
| Client Hostname | Hostname of the machine from which the request originated, if available. If a hostname is not available, the client IP address is displayed. |
| SourceIP |
IP address from which the request originated This can be used to verify that Filtering Service is seeing traffic from specific machines. |
| DestinationIP |
IP address of the requested (target) URL Incorrect or missing data can indicate DNS issues, which prevent proper filtering. |
| server | IP address of the Filtering Service machine |
| time | Exact time that the request was generated, as provided by the Filtering Service machine |
| version | Version of the log record being processed (internal use only) |
| disposition | Action applied to the request by Filtering Service. For example, category blocked, permitted by exception, continue user blocked, and so on. |
| URL | The requested (target) URL |
| protocol | The protocol (for example, HTTP, FTP) associated with the request. In the case of non-HTTP protocols, this value can indicate whether or not Filtering Service is classifying protocols correctly. |
| port | The port number the connection attempted to use |
| networkDirection | The direction of the network request (inbound or outbound) |
| method | The HTTP method (get or post) |
| contentType | Type of content specified in the record header |
| category | Forcepoint URL Database or custom category assigned to the requested URL |
| categoryReason | Reason the URL was categorized as it was (for example, defined in the Forcepoint URL Database, recategorized by content scanning, recategorized by custom URL, and so on) |
| bytes sent | Number of bytes sent |
| bytes received | Number of bytes received |
| file name | Name of the file, if any, retrieved from the URL |
| True File Type | The file type associated with the file, as confirmed by Content Gateway file type analysis (Forcepoint Web Security) |
| roleId | The number assigned to the delegated administration role that assigned the policy applied to this request. The Super Administrator role ID number is 8. |
| user | The name of the user making the request, if user identification or authentication is enabled and applied to the client IP address |
| duration | Time, in milliseconds, it took to look up the site |
| scan duration | Time, in milliseconds, it took Content Gateway to analyze the site (Forcepoint Web Securityonly) |
| policyName | Name of the policy applied to the request |
| keyword | The keyword, if any, used to recategorize and block a request |
If you have enabled SIEM integration in the Security Manager, an additional SIEM Results section appears in the TestLogServer output. The SIEM Results section includes the following information. Note that information provided by Content Gateway is available only with Forcepoint Web Security.
| Field | Description |
|---|---|
| protocol version | Current version of the protocol used to send data to the SIEM integration |
| server status code | HTTP status code sent from the origin server to Content Gateway |
| proxy status code | HTTP status code sent from the Content Gateway proxy to the client machine |
| client source port | Client ephemeral TCP source port |
| client destination port | Client TCP destination port |
| proxy source | IP address of the Content Gateway outbound interface |
| proxy source port | Outbound ephemeral TCP port used by Content Gateway |
| user agent | User agent string sent by the client browser or application. |
| X-Forwarded-For | IP address of the client which sent the request. The request was sent through a client proxy, load balancer, or similar device. |
If the request was to a cloud application, an additional Cloud App Results section appears in the output. The Cloud App Results section includes the following information.
| Field | Description |
|---|---|
| app id | Internal ID assigned to the cloud application. |
| app name | Name of the requested cloud application. |
| app risk level | Risk level (high, medium, or low) assigned to the cloud application. |
| app category id | Internal ID assigned to the type of cloud application. |
| app category name | Name of the cloud application type. |
The output for each request looks something like this:
Log Source= Integration
Client Hostname= 192.168.3.50
SourceIp= 10.201.136.35
DestinationIp= 74.125.128.104
server= 10.201.136.130
time= Tue Jul 18 11:41:33 2017
version= 6
disposition= 1026 - Category Not Blocked
URL= http://www.google.com/
protocol= 1 - http
port= 80
networkDirection= Inbound
method= GET
contentType = text/html;
charset=UTF-8
category= 76 - SEARCH ENGINES AND PORTALS
categoryReason= 1 - Master Database: URL
bytes sent= 647
bytes received= 24041
file name=
True File Type= 0 - None
roleId= 8
user= WinNT://QA/qauser
duration= 719 ms
scan duration= 0 ms
policyName= role-8**Default
SIEM Results
protocol version= 257
server status code= 200
proxy status code= 200
client source port=49372
client destination port= 8080
proxy source=10.201.136.130
proxy source port= 26615
user agent= Mozilla/4.0 (compatible; MSIE 8.0; Windows NT
6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR
3.5.30729; .NET CLR 3.0.30729)
X-Forward For=
Cloud App Results
app id = 0
app name =
app risk level = 0
app category id = 0
app category name =