The WELF format is a format developed by WebTrends and supported by many firewall vendors. Products can save log files in that format directly or can log through syslog. Either the WELF log files or syslog's log files contain WELF information. This format can be used by packet filter firewalls, proxies or network intrusion detection devices. This Lire superservice will only process records that are related to proxy services (either application proxy like a web proxy or a transport proxy like for the telnet protocol).
Example 14.3. WELF Log Sample
WTsyslog[1998-08-01 00:04:11 ip=10.0.0.1 pri=6] id=firewall \ time="1998-08-01 00:08:52" fw=WebTrendsSample pri=6 proto=http \ src=10.0.0.2 dst=10.0.0.3 dstname=1.example.com \ arg=/selfupd/x86/en/WULPROTO.CAB op=GET result=304 sent=898 WTsyslog[1998-08-01 00:04:12 ip=10.0.0.1 pri=6] id=firewall \ time="1998-08-01 00:08:52" fw=WebTrendsSample pri=6 proto=http \ src=10.0.0.2 dst=10.0.0.3 dstname=1.example.com \ arg=/selfupd/x86/en/CUNPROT2.CAB op=GET result=304 sent=853 WTsyslog[1998-08-01 00:04:23 ip=10.0.0.1 pri=6] id=firewall \ time="1998-08-01 00:09:03" fw=WebTrendsSample pri=6 proto=http \ src=10.0.0.2 dst=10.0.0.3 dstname=1.example.com \ arg=/R510/v31content/90820/0x00000409.gng op=GET result=304 sent=2983 WTsyslog[1998-08-01 03:02:03 ip=10.0.0.1 pri=6] id=firewall \ time="1998-08-01 03:06:43" fw=WebTrendsSample pri=6 proto=http \ src=10.0.0.2 dst=10.0.0.4 dstname=2.example.com arg=/ op=POST \ result=200 sent=2195 WTsyslog[1998-08-01 16:25:33 ip=10.0.0.1 pri=6] id=firewall \ time="1998-08-01 06:30:09" fw=WebTrendsSample pri=6 proto=http \ src=10.0.0.5 dst=10.0.0.6 dstname=3.example.com \ arg=/portal/brand/images/logo_pimg.gif op=GET result=304 rcvd=1036