Secure Mobile Access 12.4 Administration Guide

Table of Contents

Web Proxy Audit Log

The Web proxy audit log provides detailed information about connection activity, including a list of users accessing your network and the amount of data transferred.

The /var/log/aventail/extraweb_access.log file messages are stored in the World Wide Web Consortium (W3C) Common Log Format (CLF). See http://httpd.apache.org/docs/logs.html for more information on CLF logs. The log message has these parameters:

[source-ip] [identity] [shortname@realm] [longname] [date/time] "[request]" [HTTP return code] [bytes-sent] [imei]

The following is a sample network proxy/tunnel service audit log file entry:

192.168.200.162 - (extranetuser)@(Translation) (uid=extranetuser,ou=Users,dc=indigo,dc=com) [31/Mar/2017:09:08:09 -0700] "GET http:/ /127.0.0.1:455/postauth/interrogator/AventailComponents.exe HTTP/1.1" 200 536016 "-"

The log entries contain the fields (separated by spaces) shown in the Web Proxy audit log fields table.

Web Proxy audit log fields
Field Description
source-IP

IP address of the computer accessing the Web proxy service (this field may contain a translated address if NAT is in use).

Example: 192.168.200.162

identityThis field is not used by the Web proxy service; it always contain a dash (-).
shortname@realm

If the user has logged in, this field displays the user’s name and login realm in the form (username@realm).

If a user has not yet authenticated or is accessing content that does not require authentication (such as the WorkPlace login page), this field contains a dash (-). In cases where no authentication is used (that is, the Authentication server for the realm in AMC is set to None), this field will contain anonymous-user.

Example: (extranetuser)@(Translation)

longname

If the user has logged in, this field displays the user’s long name. LDAP and Active Directory usernames are displayed using a DN. Other usernames are display using a CN.

If a user has not yet authenticated or is accessing content that does not require authentication (such as the WorkPlace login page), this field contains a dash (-).

Example: (uid=extranetuser,ou=Users,dc=indigo,dc=com)

date/time

The date and time at which the request was received by the appliance.

Example: [16/Apr/2017:21:36:37 +0000]

request

First line of the HTTP request, containing the HTTP command (such as GET or POST), the requested resource, and the HTTP version number.

Example: "GET /alias1/foo.gif HTTP/1.1"

HTTP-return-code

The server responds with one of the following return codes:

  • 2xx codes indicate a successful request.

  • 3xx codes indicate some form of redirection or cached response.

  • 4xx codes indicate an error (such as a resource that is not found or an unauthorized request).

  • 5xx codes indicate a server error.

For more information on these codes, see http://www.ietf.org/rfc/rfc2616.txt.

bytes-sentNumber of bytes sent in the body of the response (this does not include the size of the HTTP headers).
imei

Every mobile phone is assigned a unique, 15-digit IMEI code that indicates information like the manufacturer, model type, and country of approval. The IMEI can be displayed on most phones by dialling *#06#. It’s also shown on the compliance plate underneath the battery. If there is no IMEI associated with the user, a dash (-) is entered in the log file.

Example: 352711-01-521146-5

Examples

  • If an authentication attempt fails—for example, because the user enters an invalid username or password—a single message appears in the log with a return code of 200 (OK), indicating the client request was understood). Notice that the source IP address in the message is the only way for you to identify who made the request:

    192.168.2.69 - - [26/Feb/2017:21:43:30 +0000] "POST /__extraweb__authen HTTP/1.1" 200 3610 352711-01-521146-5

    For a successful authentication, a similar message appears, but with a return code of 302 (Found). It is immediately followed by another message that contains the user's authentication credentials and a return code of 200:

    192.168.2.69 - - [26/Feb/2017:21:44:25 +0000] "POST /__extraweb__authen HTTP/1.1" 302 206 352711-01-521146-5

    192.168.2.69 - (jsmith)@(AD) [26/Feb/2017:21:44:25 +0000] "GET /workplace/access/home HTTP/1.1" 200 15424

  • If a user successfully authenticates, but is denied access to a Web resource by an access rule, a message containing a return code of 403 (Forbidden) is logged:

    192.168.2.69 - (jsmith)@(AD) [26/Feb/2017:21:52:25 +0000] "GET /dukes HTTP/1.1" 403 3358 352711-01-521146-5

  • If a user successfully authenticates and is permitted to access a URL, a message appears that is identical to the one for a failed authentication (a return code of 200), except that this one includes the user’s credentials:

    192.168.2.69 - (jdoe)@(AD) [26/Feb/2017:21:51:03 +0000] "GET /dukes HTTP/1.1" 200 262 352711-01-521146-5