The proxy audit logs are generated by enabling indexed format logging for the HTTP, FTP, Mail, News, Generic, DNS, and RealAudio and RTSP proxy services. The proxy audit logs are stored in a Btrieve* file on the Novell BorderManager 3.7 server and are maintained by CSAUDIT.NLM. The proxy audit logs cannot be edited or manipulated from the server; however, the data can be exported for analysis. The format of the exported data is compatible with trend analysis software packages, such as WebTrends*. This section describes how to export proxy audit logs and lists the data exported for the HTTP, FTP, Mail, News, Generic, DNS, and RealAudio and RTSP proxy services.
NOTE: Logging information for Telnet Transparent proxy is provided in the Generic TCP audit log.
There are two ways to export the proxy audit logs from NetWareŽ Administrator:
Export the data from the HTTP Proxy Hosts Statistics window.
Select Export Logs from the Novell BorderManager 3.7 pull-down menu.
To export audit logs for all proxies other than HTTP, you must use the second method. If you use the second method, you can also combine the audit log files from other Novell BorderManager 3.7 services with the proxy audit log into a single ASCII file.
To export HTTP audit log proxy records from the HTTP Proxy Hosts Statistics window, complete the following steps:
In NetWare Administrator, click the Server object representing the Novell BorderManager 3.7 server.
Select Novell BorderManager 3.7 from the Tools menu.
Click Proxy Cache and select View Audit Log from the Object menu.
Click Display Records, enter the dates for the records you want to display, and click OK.
In the HTTP Proxy Hosts Statistics window, click Export Data and enter the path and filename or click Browse to select the destination of the export file.
Select one of the following sort formats under Information Output Selection > click OK:
Time entry (connection by connection)---(Default selection) Sorts records from earliest entry time to latest entry time.
Access by users---Sorts records in alphabetic order based on the user's NDS or eDirectory name.
Access by hosts---Sorts records in ascending order (for IP addresses) or alphabetic order (for DNS hostnames).
(Conditional) If the export filename already exists under the directory path selected, you are prompted to replace the file. Click Yes to overwrite the file or No to specify the destination as described in Step 5.
The record fields are written to disk with a tab as the delimiter. Each record ends with a carriage return and line feed. The exported HTTP proxy data has the following format:
Entry Time---Time connection was established.
Username---Typeless NDS or eDirectory name or IP address of user.
Status---Whether the proxy server found the requested data in the cache (hit or miss).
Protocol---Protocol string representing the port number used for the connection: HTTP, FTP, HTTPS, and so on. For example, HTTP represents a connection made using port 80.
Hostname---DNS domain name or IP address of host accessed.
Data Length---Amount of data transferred from the cache or the original host.
Exporting Audit Logs for All Other Proxies
Use the Export Logs selection from the Novell BorderManager 3.7 pull-down menu to export all the proxy audit logs. This procedure extracts the same data from the Btrieve database, but offers additional export options that cannot be activated from the HTTP Proxy Hosts Statistics window. More important, the audit logs for all other proxies (FTP, Mail, News, Generic, DNS, and RealAudio and RTSP) can be accessed only this way.
To export an audit log for any proxy, complete the following steps:
In NetWare Administrator, click the Server object representing the Novell BorderManager 3.7 server.
Select Novell BorderManager 3.7 from the Tools menu.
From the Novell BorderManager 3.7 menu, select Export Logs.
Click Set Range > enter the date range.
This is the range of dates comparable to the dates used to display records in the Access Control Users Statistics window. The default range is the current server date.
Click Browse to select the drive mapped to the destination for the export file.
This is the path and filename for the export file. The default destination is A:\YYYYMMDD.LOG, where YYYY is the current year, MM is the current month, and DD is the current day. If you change the filename from the default format, the filename will not reflect the current server date. For example, if you change the filename format to MMDDYYYY.LOG, the next time you try to export logs on another day, the log filename will not have incremented to the current date.
(Optional) If the default filename is unacceptable, enter a new filename in the File field.
(Optional) If you want to combine the proxy audit log with audit logs from other Novell BorderManager 3.7 services, check the Combine Log Files check box.
This feature allows log files from different Novell BorderManager 3.7 services to be combined into a single output file. When log files are combined, they are appended to one file, service by service.
Under Log Selection, check one or more boxes for the proxy type.
If the Combine Log Files feature has been selected, check all the services you want combined into the export log file.
(Optional) If you checked Combine Log Files in Step 7, under Log Selection, check all other Novell BorderManager 3.7 services audit log files to be combined with the access control log file.
Click OK.
The proxy audit logs are exported to an ASCII file. The record fields are written with a tab as the delimiter. Each record ends with a carriage return and line feed. The ASCII file format depends on which proxy audit log is exported.
Export File Subdirectories
If the Combine Log Files feature is not selected and you select one or more services under the Log Selection field, a separate export file is created for each service under a subdirectory of the export destination path.
The export subdirectories used are shown in the following table.
Log Type
Export Subdirectory
HTTP Proxy
HTTP
FTP Proxy
FTP
NNTP Proxy
NNTP
Mail Proxy
SMTP
RealAudio and RTSP Proxies
RAUDIO
DNS Proxy
DNS
Generic Proxy
GENERIC
Telnet Transparent Proxy
GENERIC
SOCKS Client
SOCKS
IPX Gateway (Novell IP Gateway)
IPXGW
VPN
VPN
ACL (access control)
ACL
For example, if you specified an export destination of VOL1:LOGS\19981019.LOG, did not select the Combine Log Files feature, and checked the boxes for HTTP proxy, the Novell IP Gateway, and access control, the following logs would result:
The exported HTTP proxy data has the following fields:
Keyword---HTTP. If the Combine Log Files option was selected, the keyword is at the beginning of each HTTP proxy audit log line.
Date.
Time.
Source---Typeless NDS or eDirectory name and context, such as mlira.pubs.novell, or IP address.
Destination---DNS domain name or IP address.
Bytes received.
Command---Command used, such as Get, Head, Put, Post, Connect, or Delete.
Status of command---Status of command used, such as Cache Hit, Cache Miss, IC Hit, ICP Miss, or Passthrough.
Protocol---Protocol used, such as HTTP.
Exported FTP Proxy Data
The exported FTP proxy data has the following fields:
Keyword---FTP. If the Combine Log Files option was selected, the keyword is at the beginning of each FTP proxy audit log line.
Date.
Time.
Source---IP address.
Destination---IP address.
File length.
Proxy username---Name used to log in to the FTP proxy.
FTP username---Name used to log in to the FTP session.
File---Full path of the file transferred using FTP.
Cache status---Hit or Miss.
Status of the FTP request, such as Success, ACL rejection, DNS domain name resolution failure, FTP protocol error, and Connect failure.
Exported NNTP Proxy Data
The exported Network News Transfer Protocol (NNTP) or News proxy data has the following fields:
Keyword---NNTP. If the Combine Log Files option was selected, the keyword is at the beginning of each NNTP proxy audit log line.
Date.
Time.
Source---IP address of client.
Destination---IP address of news server.
Status of the NNTP request, such as Success; Connect failure; ACL: news group denied; ACL: user/group posting not allowed; and NNTP protocol error # number, where error numbers are per RFC 977.
Exported Mail Proxy Data
The exported Mail proxy data has the following fields:
Keyword---MAIL. If the Combine Log Files option was selected, the keyword is at the beginning of each Mail proxy audit log line.
Date.
Time.
Source IP address.
Destination IP address.
User---Typeless NDS or eDirectory name or IP address of user.
Protocol---Simple Mail Transfer Protocol (SMTP) or Post Office Protocol 3 (POP3).
Status of the SMTP or POP3 request, such as Success, ACL check failure, Spool creation error, Failed connection, Spool size limitation, Protocol and transport failure, and Resource allocation failure.
Command---SMTP or POP3 command used.
Source domain---DNS domain name (for SMTP use only).
Recipients---First 256 bytes of comma-separated list in user@domain format (for SMTP use only).
Process step---Examples of process steps, include Incoming, Spool processing, and Forwarding (for SMTP use only).
Exported RealAudio and RTSP Proxy Data
The exported RealAudio and RTSP proxy data has the following fields:
Keyword---RAUDIO. If the Combine Log Files option was selected, the keyword is at the beginning of each RealAudio proxy audit log line.
Date.
Time.
Source---IP address.
Destination---IP address.
Destination port---Port number of the host.
RealAudio mode---TCP or UDP.
Status of the RealAudio request, such as Success, ACL failure, Connection error, and DNS domain name resolution error.
Exported DNS Proxy Data
The exported DNS proxy data has the following fields:
Keyword---DNS. If the Combine Log Files option was selected, the keyword is at the beginning of each DNS proxy audit log line.
Date.
Time.
Source---IP address.
Destination---IP address of DNS name server.
Resource record type---Decimal number indicating the record type that was transferred. Valid record types are 1 through 16, 252, and 253.
Resource record class---Decimal number from 1 through 3. A 1 indicates Internet, a 2 indicates CHAOS, and a 3 indicates Hesiod.
Resource record name---Text string of up to 64 characters.
Transport---UDP or TCP.
Cache status---Hit, Miss, or Tunnel.
Status of the DNS request, such as Success, DNS packet data format error, Connect error, Name error, and Unable to resolve request.
Exported Generic Proxy Data
NOTE: Logging information for Telnet Transparent proxy is provided in the Generic TCP audit log.
The exported Generic proxy data has the following fields:
Keyword---GENERIC. If the Combine Log Files option was selected, the keyword is at the beginning of each Generic proxy audit log line.
Date.
Time.
Source---IP address.
Destination---IP address.
Destination port---Port number of the host.
Transport---UDP or TCP.
Cache status---Hit, Miss, or Tunnel.
Status of the Generic request, such as Success, ACL failure, and Connection error.
Exported SOCKS Client Data
The exported SOCKS client data has the following fields:
Keyword---SOCKS. If the Combine Log Files option was selected, the keyword is at the beginning of each Generic proxy audit log line.
Date.
Time.
Source---IP address of client.
Destination---IP address of destination host.
Destination port---Port number of the host.
Transport---TCP or UDP.
Cache status---Hit, Miss, or Tunnel.
Status of the SOCKS request, such as Success, DNS resolution failed, Server connect failed, Server authentication failed, Server ACL failed, and General server failure.
