5.2 Understanding the Novell BorderManager Event Data

Before you can run queries or build reports that display proxy log data in a useful fashion, it is important to understand the nature of the data reported by the Novell BorderManager HTTP proxy.

For the purposes of Novell Audit, each URL request through the BorderManager 3.9 HTTP proxy generates four events as indicated in the following table:

Event ID

Description

Data Fields

00040001

Proxy Common Log Data

IP Address, Authenticated User Name, Date, Time, Time Zone, HTTP Request, URL, HTTP Version, Status Code, File Size

00040002

Proxy Extended Log Data

cached, [date-time], c-ip, cs-method, cs-uri

00040004

Rule Hit Logging

Username or source IP address, URL or destination IP address, action (whether toallow or deny), rule sequence number, and type of ACL including time restriction.

00040005

Third Party Categorization

URL, username, URL-category, vendor-ID

For descriptions of the data fields in the Common and Extended Log Data events, refer to a Novell AppNotes®: Understanding Novell BorderManager's HTTP Logs

Capturing the Third Party Categorization data is unique to BorderManager 3.9’s support for Novell Audit. Descriptions of the Third Party Categorization data fields follow:

Data Field

Description

URL

The URL of the Web content being requested.

username

The name of the user requesting the URL.

URL-category

The categorization of the URL, based on the third-party categorization product being used on the proxy server that handled the request.

vendor-ID

The Vendor IDs for different third party categorization products are:

  • 1: CyberPatrol* (This is not officially supported on BorderManager 3.9.)

  • 3: SurfControl Content Database

  • 4: N2H2 Category Server

  • 7: Connectotel LinkWALL*

The IP address of the BorderManager proxy server that reported the event is also included in each event record.