Auto-discover log formats

Content Security Reporter supports some auto-discover log formats. However, some modifications to the log file headers might be necessary to correctly parse the data.

The following tables provide necessary header modifications for the available auto-discover log formats:

  • Blue Coat
  • McAfee Web Gateway

Table 1: Blue Coat header formatsThis table provides information on Blue Coat log file headers used in Content Security Reporter and the necessary modifications to correctly parse the data. Some cells remain intentionally empty.
Format in

extended log file

Custom Content policy language Description
c-ip %a IP address of the client.
cs-bytes Number of bytes sent from client to appliance.
cs-categories All content categories of the request URL.
cs-categories-bluecoat All content categories of the request URL that are defined by Blue Coat Web Filter.
cs-categories-external All content categories of the request URL that are defined by an external service.
cs-categories-local All content categories of the request URL that are defined by a local database.
cs-categories-policy All content categories of the request URL that are defined by CPL.
cs-categories-provider All content categories of the request URL that are defined by the current third-party provider.
cs-categories-qualified All content categories of the request URL, qualified by the provider of the category.
cs-category Single content category of the request URL (such as sc-filter-category).
cs-host %v Host name from the client’s request URL. If URL rewrite policies are used, this field’s value is derived from the log URL.
cs-method Request method used from client to appliance.
cs-request-line First line of the client’s request.
c-dns %h Host name of the client (using the client’s IP address to avoid reverse DNS).
cs-uri
  • url
  • log_url
  • Original URL requested
  • The log URL
cs-uri-address
  • url.address
  • log_url.address
  • IP address from the original URL requested. DNS is used if the URL is expressed as a host name
  • IP address from the log URL. DNS is used if URL uses a host name
cs-uri-categories All content categories of the request URL.
cs-uri-categories-bluecoat All content categories of the request URL that are defined by Blue Coat Web Filter.
cs-uri-categories-external All content categories of the request URL that are defined by an external service.
cs-uri-categories-local All content categories of the request URL that are defined by a local database.
cs-uri-categories-policy All content categories of the request URL that are defined by CPL.
cs-uri-categories-provider All content categories of the request URL that are defined by the current third-party provider.
cs-uri-categories-qualified All content categories of the request URL, qualified by the provider of the category.
cs-uri-category Single content category of the request URL (such as sc-filter-category).
cs-uri-host
  • url.host
  • log_url.host
  • Host name from the original URL requested
  • Host name from the log URL
cs-uri-hostname
  • url.hostname
  • log_url.hostname
  • Host name from the original URL requested. RDNS is used if the URL is expressed as an IP address
  • Host name from the log URL. RDNS is used if the URL uses an IP address
cs-uri-path
  • blank
  • %U
  • url.path
  • blank
  • Path of the original URL requested without query
  • Path from the log URL without query
cs-uri-pathquery
  • url.pathquery
  • log_url.pathquery
  • Path and query of the original URL requested
  • Path and query from the log URL
cs-uri-port
  • url.port
  • log_url.port
  • Port from the original URL requested
  • Port from the log URL
cs-uri-query
  • blank
  • %Q
  • url.query
  • blank
  • Query from the original URL requested
  • Query from the log URL
cs-uri-scheme
  • url.scheme
  • log_url.scheme
  • Scheme of the original URL requested
  • Scheme from the log URL
cs-uri-stem
  • Stem of the original URL requested
  • Stem from the log URL
Note: The stem includes everything up to the end path, but does not include the query.
cs-user %u Qualified user name for NTLM; relative user name for other protocols.
cs-userdn Full user name of a client authenticated to the proxy (fully distinguished).
cs-username Relative user name of a client authenticated to the proxy (not fully distinguished).
date %x date.utc GMT date in YYYY-MM-DD format.
gmttime %t GMT date and time of the user request in [DD/MM/YYYY:hh:mm:ss GMT] format.
localtime %L Local date and time of the user request in [DD/MMM/YYYY:hh:mm:ss +nnnn] format.
rs(Content-Type) %c response.header.Content-Type Response header: Content-type.
sc-bodylength Number of bytes in the body (excludes header) sent from appliance to client.
sc-bytes %b Number of bytes sent from appliance to client.
sc-filter-category %f Content filtering category of the request URL.
sc-filter-result %W Content filtering result: Denied, Proxied, or Observed.
sc-headerlength Number of bytes in the header sent from appliance to client.
sc-status %s Protocol status code from appliance to client.
time %y time.utc UTC (GMT) time in HH:MM:SS format.
timestamp %g Unix type time stamp.
x-cache-user Relative user name of a client authenticated to the proxy (not fully distinguished, same as cs-username).
x-client-address IP address of the client.
x-client-ip IP address of the client.
x-cs-dns client.host The host name of the client obtained through reverse DNS.
x-cs-http-method http.method HTTP request method used from client to appliance. Empty for non-HTTP transactions.
x-cs-user-authorization-name user.authorization_name User name used to authorize a client authenticated to the proxy.
x-cs-user-credential-name user.credential_name User name entered by the user to authenticate to the proxy.
x-cs-user-login-address user.login.address The IP address that the user was authenticated in.
x-cs-username-or-ip Used to identify the user using either their authenticated proxy user name, or if that is unavailable, their IP address.
x-sc-http-status http.response.code HTTP response code sent from appliance to client.
x-virus-id icap_virus_id Identifier of a virus if one was detected.
Table 2: McAfee Web Gateway header formatsThis table provides information on McAfee Web Gateway log file headers used in Content Security Reporter and the necessary modifications to correctly parse the data.
Header Description
"attribute" URL categories.
"auth_user" Client user name.
"auth_user_anonymous" Anonymous user name.
block_res Filtering action.
bytes_to_client Number of bytes written to the client.
bytes_from_client Number of bytes received from the client.
bytes_to_server Number of bytes sent to the web server from McAfee Web Gateway.
bytes_from_server Number of bytes received from the web server.
"categories" URL categories.
elapsed_time Time to process request.
"media_type" Content-type header.
"profile" Skipped.
"referer" Referer.
"rep_level" Reputation of the URL.
"req_line" Request.
src_host Client host name.
src_ip Client IP address.
status_code HTTP status code.
time_stamp Time of request.
unix_epoch UNIX time stamp.
"user_agent" Client user agent.
"virus_name" Name of virus found in the request.