1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
|
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE lire:dlf-schema PUBLIC
"-//LogReport.ORG//DTD Lire DLF Schema Markup Language V1.1//EN"
"http://www.logreport.org/LDSML/1.1/ldsml.dtd">
<lire:dlf-schema superservice="proxy" timestamp="time"
xmlns:lire="http://www.logreport.org/LDSML/">
<!-- $Id: proxy.xml,v 1.14 2002/11/06 18:04:49 flacoste Exp $ -->
<lire:title>DLF Schema for Proxy superservice</lire:title>
<lire:description>
<para>This DLF file is adequate to represent most common
informations about web proxy events. It has the same information
as found in most proxy-like servers log files.
<!-- as discussed in
Date: Wed, 9 Jan 2002 16:58:24 -0500
From: "Francis J. Lacoste" XXX
To: development XXX
Subject: PROPOSAL: schema for proxy superservice
Message-ID: <20020109215824.GX566@Contre.COM>
-->
</para>
<para>This schema is adequate for proxy servers beyond web proxys
servers. It can be used for socks and other types of
connection-level proxies.
</para>
<para>The DLF schema was designed by studying the WebTrends Enhanced
Log Format, squid log files and thinking about SOCKS type of server.
</para>
</lire:description>
<lire:field name="time" type="timestamp" label="Timestamp">
<lire:description>
<para>The time at which the request was initiated.</para>
</lire:description>
</lire:field>
<lire:field name="client_ip" type="ip" label="Client IP">
<lire:description>
<para>The IP address of the client.</para>
</lire:description>
</lire:field>
<lire:field name="client_host" type="hostname" label="Client Host">
<lire:description>
<para>The hostname of the client.
</para>
</lire:description>
</lire:field>
<lire:field name="user" type="string" label="User">
<lire:description>
<para>If the client was authenticated, this field should contains
the authenticated username.</para>
</lire:description>
</lire:field>
<lire:field name="duration" type="duration" label="Duration">
<lire:description>
<para>The time taken by the connection.</para>
</lire:description>
</lire:field>
<lire:field name="cache_result" type="string" label="Cache Result">
<lire:description>
<para>Result code for the cache TCP_MISS, TCP_HIT, etc. List is available
on Squid page, and in squid_access2dlf(1). All DLF converter should map
their native value to the squid's one which is very complete and
exhaustive.
</para>
</lire:description>
</lire:field>
<lire:field name="req_result" type="int" label="Result">
<lire:description>
<para>HTTP result of the request. e.g. 200 or 404.</para>
</lire:description>
</lire:field>
<lire:field name="protocol" type="string" label="Protocol">
<lire:description>
<para>The protocol of the proxied request: ftp, http, https, telnet, etc.</para>
</lire:description>
</lire:field>
<lire:field name="transport" type="string" label="Transport">
<lire:description>
<para>The protocol used between the client and the proxy server.
This is probably TCP, but can be UDP in some case (like SOCKS or ICP).
</para>
</lire:description>
</lire:field>
<lire:field name="dst_ip" type="ip" label="Destination IP">
<lire:description>
<para>The ip address of the destination.</para>
</lire:description>
</lire:field>
<lire:field name="dst_host" type="hostname" label="Destination Host">
<lire:description>
<para>The hostname of the destination. In the case of web proxy,
that will be the website</para>
</lire:description>
</lire:field>
<lire:field name="dst_port" type="port" label="Destination Port">
<lire:description>
<para>Port of the destination used in IP session</para>
</lire:description>
</lire:field>
<lire:field name="operation" type="string" label="Operation">
<lire:description>
<para>This field should only be defined in the case of web proxy
requests. This should contains the HTTP method requested like
<literal>GET</literal> or <literal>POST</literal>.
</para>
</lire:description>
</lire:field>
<lire:field name="requested_url" type="url" label="URL">
<lire:description>
<para>This field should only be defined in the case of web proxy
request. It should contains the URL requested on the remote server.</para>
</lire:description>
</lire:field>
<!-- <lire:field name="bytes" type="bytes" default="0"> has the same effect
as: -->
<lire:field name="bytes" type="bytes" label="Result Size">
<lire:description>
<para>The number of bytes transferred from proxy server to the
client</para>
</lire:description>
</lire:field>
<lire:field name="type" type="string" label="Result's Type">
<lire:description>
<para>This field should only be defined for web proxy servers, it
should contains the MIME type of the HTTP request's result (e.g.
text/html or image/jpeg).</para>
</lire:description>
</lire:field>
<lire:field name="rule" type="string" label="Rule">
<lire:description>
<para>This field contains the configuration rule's name that was
used to accept or deny to request.
</para>
</lire:description>
</lire:field>
<lire:field name="useragent" type="string" label="User Agent">
<lire:description>
<para>The useragent used by the client. E.g. 'Mozilla/4.0
(compatible; MSIE 5.0; Win32)' or 'Outlook Express/5.0 (MSIE 5.0;
Windows 98; DigExt)'</para>
</lire:description>
</lire:field>
<lire:field name="result_src_code" type="string" label="Result Source Type">
<lire:description>
<para>Code qualifying the next two fields. (i.e. NONE, DIRECT,
PARENT_HIT, etc.) All DLF converter should map their native value
to the squid's one which is very complete and exhaustive.
<!-- This and all following result_ fields are used in the case of
cache. The result src is from where the object was fetched (local
cache, parent cache, peer cache, original host, etc.) -->
</para>
</lire:description>
</lire:field>
<lire:field name="result_src_ip" type="ip" label="Result IP">
<lire:description>
<para>The IP address of the server which handled the request, i.e.
destination or other cache</para>
</lire:description>
</lire:field>
<lire:field name="result_src_host" type="hostname" label="Result Host">
<lire:description>
<para>The hostname of the server that handled the request and gave the
result.</para>
</lire:description>
</lire:field>
<lire:field name="result_src_port" type="port" label="Result Port">
<lire:description>
<para>Port on referring host used in IP session.</para>
</lire:description>
</lire:field>
<lire:field name="cat_action" type="string" label="Category Action">
<lire:description>
<para>This field contains either the value
<constant>block</constant> or <constant>pass</constant>. It is
used when access control is based on content filtering.
</para>
</lire:description>
</lire:field>
<lire:field name="cat_site" type="string" label="Site Category">
<lire:description>
<para>If the proxy server is doing content analysis, this field
should contains the category for the requested website.
</para>
</lire:description>
</lire:field>
<lire:field name="catlevel_site" type="int" label="Site Level">
<lire:description>
<para>Level can be 1 or 2. 1 meaning "no no" categories. 2 meaning
"family fun" categories. This was taken from the WELF specification.
</para>
</lire:description>
</lire:field>
<lire:field name="cat_page" type="string" label="Page Category">
<lire:description>
<para>Like <structfield>cat_site</structfield>, but for the actual
page.</para>
</lire:description>
</lire:field>
<lire:field name="catlevel_page" type="int" label="Page Level">
<lire:description>
<para>Like <structfield>catlevel_site</structfield>, but for the
actual page.</para>
</lire:description>
</lire:field>
</lire:dlf-schema>
|
