Symantec Access Management

  • 1.  Explore cipher log columns

    Posted Nov 13, 2018 03:23 PM

    Hello,

     

    I need to better understand what kind of information are being logged by the CustomLog proccess on the SPS server.

     

    This is how my CustomLog is configured in the httpd-ssl.conf:

    LogFormat "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %>s %b %D %k" sslLog

    CustomLog "|bin/rotatelogs.exe D:/Logs/apache/cipher.%Y-%m-%d.log 86400" sslLog

     

    We've made a few customisations longtime ago (e.g. log folder, frequency, size, date format, etc.), but now I can't remember how and where we've configured it.

     

    On this exemple, I know my request was processed without errors :

    [13/Nov/2018:14:25:26 -0500] 172.30.160.5 TLSv1 RC4-MD5 "HEAD /favicon.ico HTTP/1.1" 200 - 0 0

     

    But in this case, I understand that I get an http error 500 from the webserver, but I'd like to understand what each number that follows (1227, 78124, 0) means :

    [13/Nov/2018:14:25:26 -0500] 172.30.128.12 TLSv1 RC4-MD5 "GET /AnotherExemple/AnotherExemple/AnotherExemple HTTP/1.1" 500 1227 78124 0

     

    Could anyone give me a clue on how to identify the columns that are being logged in this case ("%r %>s %b %D %k")?

     

    This is it's output (exemple) :

     

    [13/Nov/2018:14:25:26 -0500] 172.30.160.5 TLSv1 RC4-MD5 "HEAD /favicon.ico HTTP/1.1" 200 - 0 0
    [13/Nov/2018:14:25:26 -0500] 172.30.128.12 TLSv1 RC4-MD5 "GET /Exemple/Exemple/Exemple HTTP/1.1" 302 - 15615 0
    [13/Nov/2018:14:25:26 -0500] 172.30.128.12 TLSv1 RC4-MD5 "GET /AnotherExemple/AnotherExemple/AnotherExemple HTTP/1.1" 500 1227 78124 0
    [13/Nov/2018:14:25:34 -0500] 172.30.160.4 TLSv1 RC4-MD5 "HEAD /favicon.ico HTTP/1.1" 200 - 15637 0

     

    Best regards,



  • 2.  Re: Explore cipher log columns
    Best Answer

    Broadcom Employee
    Posted Nov 14, 2018 06:07 PM

    The different attributes for apache log format are described here : 

     

    mod_log_config - Apache HTTP Server Version 2.4 

     

    ("%r %>s %b %D %k")

    %r : First line of request.

    %>s :  Status. For requests that have been internally redirected, this is the status of the original request. Use %>s for the final status.

    %b : Size of response in bytes, excluding HTTP headers. In CLF format, i.e. a '-' rather than a 0 when no bytes are sent.

    %D : The time taken to serve the request, in microseconds.

    %k   : Number of keepalive requests handled on this connection. Interesting if KeepAlive is being used, so that, for example, a '1' means the first keepalive request after the initial one, '2' the second, etc...; otherwise this is always 0 (indicating the initial request).

     

    Cheers - Mark