Novell Documentation: Novell BorderManager 3.8

Exporting Data

The proxy audit logs are generated by enabling indexed format logging for the HTTP, FTP, Mail, News, Generic, DNS and RealAudio and RTSP proxy services. The proxy audit logs are stored in a Btrieve* file on the Novell BorderManager 3.8 server and are maintained by CSAUDIT.NLM.

The proxy audit logs cannot be edited or manipulated from the server; however, the data can be exported for analysis. The format of the exported data is compatible with trend analysis software packages, such as WebTrends*. This section describes how to export proxy audit logs and lists the data exported for the HTTP, FTP, Mail, News, Generic, DNS, and RealAudio and RTSP proxy services.

NOTE: Logging information for Telnet Transparent proxy is provided in the Generic TCP audit log.

The following are two ways to export the proxy audit logs from NetWare Administrator:

Export the data from the HTTP Proxy Hosts Statistics window.
Select Export Logs from the Novell BorderManager 3.8 menu.

To export audit logs for all proxies other than HTTP, you must use the second method. If you use the second method, you can also combine the audit log files from other Novell BorderManager 3.8 services with the proxy audit log into a single ASCII file.

For additional information, refer to the following sections:

Exporting HTTP Audit Log Proxy Records

To export HTTP audit log proxy records from the HTTP Proxy Hosts Statistics window:

In NetWare Administrator, click the Server object representing the Novell BorderManager 3.8 server.
Select Novell BorderManager 3.8 from the Tools menu.
Click Proxy Cache and select View Audit Log from the Object menu.
Click Display Records, specify the dates for the records you want to display, and then click OK.
In the HTTP Proxy Hosts Statistics window, click Export Data and specify the path and filename, or click Browse to select the destination of the export file.
Select one of the following sort formats under Information Output Selection, then click OK:
- Time entry (connection by connection): Sorts records from earliest entry time to latest entry time. This is the default.
- Access by users: Sorts records in alphabetic order based on the user's NDS or eDirectory name.
- Access by hosts: Sorts records in ascending order (for IP addresses) or alphabetic order (for DNS hostnames).
(Conditional) If the export filename already exists under the directory path selected, you are prompted to replace the file. Click Yes to overwrite the file or click No to specify the destination as described in Step 5.

The record fields are written to disk with a tab as the delimiter. Each record ends with a carriage return and line feed. The exported HTTP proxy data has the following format:

Entry Time: Time the connection was established.
Username: Typeless NDS or eDirectory name or IP address of user.
Status: Whether the proxy server found the requested data in the cache (hit or miss).
Protocol: Protocol string representing the port number used for the connection such as HTTP, FTP or HTTPS. For example, HTTP represents a connection made using port 80.
Hostname: DNS domain name or IP address of host accessed.
Data Length: Amount of data transferred from the cache or the original host.

Exporting Audit Logs for All Other Proxies

Use the Export Logs selection from the Novell BorderManager 3.8 menu to export all the proxy audit logs.

This procedure extracts the same data from the Btrieve database, but offers additional export options that cannot be activated from the HTTP Proxy Hosts Statistics window. More important, the audit logs for all other proxies (FTP, Mail, News, Generic, DNS, and RealAudio and RTSP) can only be accessed this way.

To export an audit log for any proxy:

In NetWare Administrator, click the Server object representing the Novell BorderManager 3.8 server.
Select Novell BorderManager 3.8 from the Tools menu.
From the Novell BorderManager 3.8 menu, select Export Logs.
Click Set Range, then specify the date range.

This is the range of dates comparable to the dates used to display records in the Access Control Users Statistics window. The default range is the current server date.
Click Browse to select the drive mapped to the destination for the export file.

This is the path and filename for the export file. The default destination is a:\yyyymmdd.log, where yyyy is the current year, mm is the current month, and dd is the current day. If you change the filename from the default format, the filename will not reflect the current server date. For example, if you change the filename format to mmddyyyy.log, the next time you try to export logs on another day, the log filename will not have incremented to the current date.
(Optional) If the default filename is unacceptable, specify a new filename in the File field.
(Optional) If you want to combine the proxy audit log with audit logs from other Novell BorderManager 3.8 services, select the Combine Log Files check box. This feature allows log files from different Novell BorderManager 3.8 services to be combined into a single output file. When log files are combined, they are appended to one file, service by service.
Under Log Selection, select one or more boxes for the proxy type.

If the Combine Log Files feature has been selected, check all the services you want combined into the export log file.
(Optional) If you have selected Combine Log Files in Step 7, under Log Selection, select all other Novell BorderManager 3.8 services audit log files to be combined with the Access Control Log (ACL) file.
Click OK.

The proxy audit logs are exported to an ASCII file. The record fields are written with a tab as the delimiter.

Each record ends with a carriage return and line feed. The ASCII file format depends on which proxy audit log is exported.

Export File Subdirectories

If the Combine Log Files feature is not selected and you select one or more services under the Log Selection field, a separate export file is created for each service under a subdirectory of the export destination path.

The export subdirectories used are shown in the following table.

Log Type	Export Subdirectory
HTTP Proxy	HTTP
FTP Proxy	FTP
NNTP Proxy	NNTP
Mail Proxy	SMTP
RealAudio and RTSP Proxies	RAUDIO
DNS Proxy	DNS
Generic Proxy	GENERIC
Telnet Transparent Proxy	GENERIC
SOCKS Client	SOCKS
IPX Gateway	IPXGW
VPN	VPN
ACL (access control)	ACL

For example, if you specified an export destination of vol1:logs\19981019.log, and did not select the Combine Log Files feature, and did select HTTP proxy and access control, the following logs would result:

vol1:logs\http\19981019.log
vol1:logs\ipxgw\19981019.log
vol1:logs\acl\19981019.log

For more information:

Exported HTTP Proxy Data

The exported HTTP proxy data has the following fields:

Keyword: HTTP. If the Combine Log Files option was selected, the keyword is at the beginning of each HTTP proxy audit log line.
Date
Time
Source: Typeless NDS or eDirectory name and context, such as mlira.pubs.novell, or IP address
Destination: DNS domain name or IP address
Bytes received
Command: Command used, such as Get, Head, Put, Post, Connect, or Delete
Status of the command: Status of command used, such as Cache Hit, Cache Miss, IC Hit, ICP Miss, or Passthrough
Protocol: Protocol used, such as HTTP

Exported FTP Proxy Data

The exported FTP proxy data has the following fields:

Keyword: FTP. If the Combine Log Files option was selected, the keyword is at the beginning of each FTP proxy audit log line.
Date
Time
Source: IP address
Destination: IP address
File length
Proxy username: Name used to log in to the FTP proxy
FTP username: Name used to log in to the FTP session
File: Full path of the file transferred using FTP
Cache status: Hit or Miss
Status of the FTP request, such as Success, ACL rejection, DNS domain name resolution failure, FTP protocol error, and Connect failure

Exported NNTP Proxy Data

The exported Network News Transfer Protocol (NNTP) or News proxy data has the following fields:

Keyword: NNTP. If the Combine Log Files option was selected, the keyword is at the beginning of each NNTP proxy audit log line.
Date
Time
Source: IP address of client
Destination: IP address of news server
Status of the NNTP request, such as Success; Connect failure; ACL: news group denied; ACL: user/group posting not allowed; and NNTP protocol error # number, where error numbers are per RFC 977

Exported Mail Proxy Data

The exported Mail proxy data has the following fields:

Keyword: MAIL. If the Combine Log Files option was selected, the keyword is at the beginning of each Mail proxy Audit Log Line.
Date
Time
Source IP address
Destination IP address
User: Typeless NDS or eDirectory name or IP address of user
Protocol: Simple Mail Transfer Protocol (SMTP) or Post Office Protocol 3 (POP3)
Status of the SMTP or POP3 request, such as Success, ACL check failure, Spool creation error, Failed connection, Spool size limitation, Protocol and transport failure, and Resource allocation failure
Command: SMTP or POP3 command used
Source domain: DNS domain name (for SMTP use only)
Recipients: First 256 bytes of comma-separated list in user@domain format (for SMTP use only)
Process step: Examples of process steps, such as Incoming, Spool processing, and Forwarding (for SMTP use only)

Exported RealAudio and RTSP Proxy Data

The exported RealAudio and RTSP proxy data has the following fields:

Keyword: RAUDIO. If the Combine Log Files option was selected, the keyword is at the beginning of each RealAudio proxy audit log line.
Date
Time
Source: IP address
Destination: IP address
Destination port: Port number of the host
RealAudio mode: TCP or UDP
Status of the RealAudio request, such as Success, ACL failure, Connection error, and DNS domain name resolution error

Exported DNS Proxy Data

The exported DNS proxy data has the following fields:

Keyword: DNS. If the Combine Log Files option was selected, the keyword is at the beginning of each DNS proxy audit log line.
Date
Time
Source: IP address
Destination: IP address of DNS name server
Resource record type: Decimal number indicating the record type that was transferred. Valid record types are 1 through 16, 252, and 253.
Resource record class: Decimal number from 1 through 3. A 1 indicates Internet, a 2 indicates CHAOS, and a 3 indicates Hesiod.
Resource record name: Text string of up to 64 characters
Transport: UDP or TCP
Cache status: Hit, Miss, or Tunnel
Status of the DNS request, such as Success, DNS packet data format error, Connect error, Name error, and Unable to resolve request

Exported Generic Proxy Data

Logging information for Telnet Transparent proxy is provided in the Generic TCP audit log.

The exported Generic proxy data has the following fields:

Keyword: GENERIC. If the Combine Log Files option was selected, the keyword is at the beginning of each Generic proxy audit log line.
Date
Time
Source: IP address
Destination: IP address
Destination port: Port number of the host
Transport: UDP or TCP
Cache status: Hit, Miss, or Tunnel
Status of the Generic request, such as Success, ACL failure, and Connection error

Exported SOCKS Client Data

The exported SOCKS client data has the following fields:

Keyword: SOCKS. If the Combine Log Files option was selected, the keyword is at the beginning of each Generic proxy audit log line.
Date
Time
Source: IP address of client
Destination: IP address of destination host
Destination port: Port number of the host
Transport: TCP or UDP
Cache status: Hit, Miss, or Tunnel
Status of the SOCKS request, such as Success, DNS resolution failed, Server connect failed, Server authentication failed, Server ACL failed, and General server failure