Chapter 12. Proxy Reports

Table of Contents

Supported Log Format
Microsoft Internet Security and Acceleration Server
Squid
WebTrends Enhanced Format
Reports' Descriptions and Configuration
Bytes by Cache Result
Bytes by Object's Source
Bytes Transferred By Period Proxy Report
Bytes Transferred By Timeslot Proxy Report
Client Summary Proxy Report
Requests Summary Proxy Report
Requests by Cache Result
Requests By Period Proxy Report
Requests By Size Proxy Report
Number of Requests By Timeslot Proxy Report
Requests By Request's Time Proxy Report
Top Clients by Destinations Proxy Report
Top Destinations by Number of Requests
Top Destinations by Bytes Downloaded
Top Destinations by Clients
Top Destinations by Users Proxy Report
Top Users by Destinations Proxy Report
Top MIME types by Transferred Size
Top Users by Bytes Proxy Report
Top URLs by Users Proxy Report
User Summary Proxy Report
Filters' Descriptions and Configuration
Select Cache Result Filter

Supported Log Format

Lire supports three different proxy log files format allowing it to support a wide range of products.

Microsoft Internet Security and Acceleration Server

That product uses a format derived from the W3C Extended Log Format which is defined at http://www.w3.org/TR/WD-logfile.html. Information about the way Microsoft Internet Security and Acceleration Server uses that format can be found on the product's website.

The format of

Lire can use the following fields of the format: date, time, c-ip, c-host, cs-username, c-agent, time-taken, r-ip, r-host, sc-status, sc-protocol, sc-operation, s-object-source, sc-operation, rule#1, rule#2 and cs-mime-type. The other fields will be ignored.

Example 12.1. Microsoft Internet Security and Acceleration Server Log Sample


#Software: Microsoft(R) Internet Security and Acceleration Server 2000
#Version: 1.0
#Date: 2002-01-16 07:00:01
#Fields: c-ip	cs-username	c-agent	date	time	s-computername \
    cs-referred	r-host	r-ip	r-port	time-taken	cs-bytes\
    sc-bytes cs-protocol	s-operation	cs-uri s-object-source	\
    sc-status
10.0.0.1	anonymous	Mozilla/4.0 (compatible; MSIE 5.0; Win32)\
    2002-01-16	07:00:01	GRO1SYX01	-	-	-	-\
    -	155	2569	-	GET	-	-	200 \
10.0.0.1	anonymous	Outlook Express/5.0 \
    (MSIE 5.0; Windows 98; DigExt)	2002-01-16	07:00:04 \
    GRO1SYX01	-	1.example.com	

	    

Squid

Lire can process native Squid's access log.

Example 12.2. Squid Log Sample


1011164724.171   1337 10.0.0.1 TCP_MISS/200 20110 GET \
    http://images.google.com/images? - DIRECT/10.0.0.2 text/html
1011164724.965    740 10.0.0.1 TCP_MISS/200 26461 GET \
    http://www.ia.hiof.no/informatikk/forelesning/historie/historie.html \
    - DIRECT/10.0.0.3 text/html
1011164727.626   2580 10.0.0.1 TCP_MISS/200 111927 GET \
    http://www.ia.hiof.no/informatikk/forelesning/historie/transistor.jpg \
    - DIRECT/10.0.0.3 image/jpeg
1011164731.619    687 10.0.0.1 TCP_MISS/200 18191 GET \
    http://images.google.com/images? - DIRECT/10.0.0.2 text/html
1011164734.972   3282 10.0.0.1 TCP_MISS/200 29595 GET \
    http://www.hillnews.com/restaurants/rst_tosca.shtm - \
    DIRECT/10.0.0.4 text/html
1011164735.482    467 10.0.0.1 TCP_MISS/200 7839 GET \
    http://www.hillnews.com/global/banner_logo.gif - \
    DIRECT/10.0.0.4 image/gif
1011164740.163   1004 10.0.0.1 TCP_MISS/200 19580 GET \
    http://images.google.com/images? - DIRECT/10.0.0.2 text/html
1011164741.905   1687 10.0.0.1 TCP_MISS/200 17383 GET \
    http://www.charlotteregional.com/speech.html - DIRECT/10.0.0.5 text/html
1011164742.214    275 10.0.0.1 TCP_MISS/200 8001 GET \
    http://www.charlotteregional.com/images/st2.jpg - \
    DIRECT/10.0.0.5 image/jpeg
1011164745.891    716 10.0.0.1 TCP_MISS/200 18796 GET \
    http://images.google.com/images? - DIRECT/10.0.0.2 text/html

	    

WebTrends Enhanced Format

The WELF format is a format developed by WebTrends and supported by many firewall vendors. Products can save log files in that format directly or can log through syslog. Lire either native WELF log file or syslog's log files contains WELF information. This format can be used by packet filters firewall, proxies or network intrusion detection devices. Lire will only process records that are related through proxy services (either application proxy like a web proxy or a transport proxy like for the telnet protocol).

Example 12.3. WELF Log Sample


WTsyslog[1998-08-01 00:04:11 ip=10.0.0.1 pri=6] id=firewall \
    time="1998-08-01 00:08:52" fw=WebTrendsSample pri=6 proto=http \
    src=10.0.0.2 dst=10.0.0.3 dstname=1.example.com \
    arg=/selfupd/x86/en/WULPROTO.CAB op=GET result=304 sent=898
WTsyslog[1998-08-01 00:04:12 ip=10.0.0.1 pri=6] id=firewall \
    time="1998-08-01 00:08:52" fw=WebTrendsSample pri=6 proto=http \
    src=10.0.0.2 dst=10.0.0.3 dstname=1.example.com \
    arg=/selfupd/x86/en/CUNPROT2.CAB op=GET result=304 sent=853
WTsyslog[1998-08-01 00:04:23 ip=10.0.0.1 pri=6] id=firewall \
    time="1998-08-01 00:09:03" fw=WebTrendsSample pri=6 proto=http \
    src=10.0.0.2 dst=10.0.0.3 dstname=1.example.com \
    arg=/R510/v31content/90820/0x00000409.gng op=GET result=304 sent=2983
WTsyslog[1998-08-01 03:02:03 ip=10.0.0.1 pri=6] id=firewall \
    time="1998-08-01 03:06:43" fw=WebTrendsSample pri=6 proto=http \
    src=10.0.0.2 dst=10.0.0.4 dstname=2.example.com arg=/ op=POST \
    result=200 sent=2195
WTsyslog[1998-08-01 16:25:33 ip=10.0.0.1 pri=6] id=firewall \
    time="1998-08-01 06:30:09" fw=WebTrendsSample pri=6 proto=http \
    src=10.0.0.5 dst=10.0.0.6 dstname=3.example.com \
    arg=/portal/brand/images/logo_pimg.gif op=GET result=304 rcvd=1036