17.1.2. Web access log format

Field type

Field name

Description

Example value

CEF header

CEF:Version

CEF version.

CEF:0

Device Vendor

Product vendor.

UserGate

Device Product

Product type.

NGFW

Device Version

Product version.

7

Source

Log name.

webaccess

Name

Source type.

log

Threat Level

Threat level for the URL category.

Available values: 2, 4, 6, 8, 10 (the set threat level multiplied by 2); Unknown, if no category is defined.

CEF [extension]

rt

Time when the event was received (in milliseconds since January 1, 1970).

1652344423822

deviceExternalId

A unique name of the device which generated the event.

utmcore@ersthetatica

act

Action taken by the device according to the configured policies.

captive

reason

The reason why the event was created, e.g. the reason for the site block.

{"id":39,"name":"Social Networking","threat_level":3}

suser

User name.

user_example (Unknown, if the user is unknown)

cs1Label

Indicates that a rule was triggered.

Rule

cs1

Name of the rule triggered to cause the event.

Default Allow

src

Traffic source IPv4 address.

10.10.10.10

spt

Source port.

Values: 0-65535.

cs2Label

Indicates the source zone.

Source Zone

cs2

Source zone name.

Trusted

cs3Label

Indicates the source country.

Source Country

cs3

Source country name.

AE (a two-letter country code is displayed)

dst

IPv4 address of the traffic destination.

194.226.127.130

dpt

Destination port.

Values: 0-65535.

cs4Label

Indicates the destination zone.

Destination Zone

cs4

Destination zone name.

Untrusted

cs5Label

Indicates the destination country.

Destination Country

cs5

Destination country name.

AE (a two-letter country code is displayed)

cs6Label

Indicates if the content was decrypted.

Decrypted

cs6

Decrypted or not.

true, false

app

Application layer protocol and its version.

HTTP/1.1

requestMethod

Method used to access the URL address (POST, GET, etc.).

GET

request

In the case of an HTTP request, the field contains the URL of the requested resource and the protocol used.

http://www.secure.com

requestContext

Request source URL (HTTP referrer).

https://www.google.com/

requestClientApplication

Browser useragent.

Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0

cn3Label

Specifies the server's original response.

Response

cn3

HTTP status code.

302

flexString1Label

Refers to the content type.

Media type

flexString1

Content type.

text/html

flexString2Label

Indicates the category of the requested URL.

URL Categories

flexString2

URL category.

Computers & Technology

in

Number of transmitted inbound bytes (data transferred from the source to the destination).

231

out

Number of transmitted outbound bytes (data transferred from the destination to the source).

40

cn1Label

Indicates the number of packets transmitted from the source to the destination.

Packets sent

cn1

Number of packets transmitted from the source to the destination.

3

cn2Label

Indicates the number of packets transmitted from the destination to the source.

Packets received

cn2

Number of packets transmitted from the destination to the source.

1