Knowledgebase
What information is displayed in each column of a domain log file?
Posted by John Villanueva on 03 January 2018 07:39 PM

The fields or columns in a typical domain log file consists of the following information:

#Fields: date time c-ip c-port s-ip s-port cs-username cs-method cs-uri-stem sc-status sc-message cs-bytes sc-bytes sessionid

date - date of log entry
time - timestamp of log entry
c-ip - client IP address
c-port - client port
s-ip - server IP address
s-port - server port
cs-username - username
cs-method - client request
cs-uri-stem - client URL stem
sc-status - status response from server
sc-message - message from server
cs-bytes - bytes sent from client to server
sc-bytes - bytes sent from server to client
sessionid - unique session id

Fields where data is not available are represented by a "-". All fields are space delimited and enclosed by a quote where needed.

Below is a sample snippet of a domain log file showing the upload/download of a file named test.txt by the user "test"

2017-12-28 13:58:44:504 127.0.0.1 62018 127.0.0.1 21 test - - "logged in" - - - cd6fd41e9e50487f93a6d872f9bdbe6d
2017-12-28 13:58:46:637 127.0.0.1 62019 127.0.0.1 20 test - - "session started" "FTP upload" - - cd6fd41e9e50487f93a6d872f9bdbe6d
2017-12-28 13:58:46:645 127.0.0.1 62018 127.0.0.1 21 test - - "file uploaded" /test.txt;0;0 0 - cd6fd41e9e50487f93a6d872f9bdbe6d
2017-12-28 13:58:46:646 127.0.0.1 62019 127.0.0.1 20 test - - "session closed" "FTP upload" - - cd6fd41e9e50487f93a6d872f9bdbe6d
2017-12-28 13:58:48:832 127.0.0.1 62020 127.0.0.1 20 test - - "session started" "FTP download" - - cd6fd41e9e50487f93a6d872f9bdbe6d
2017-12-28 13:58:48:837 127.0.0.1 62018 127.0.0.1 21 test - - "file downloaded" /test.txt;0;0 - 0 cd6fd41e9e50487f93a6d872f9bdbe6d
2017-12-28 13:58:48:839 127.0.0.1 62020 127.0.0.1 20 test - - "session closed" "FTP download" - - cd6fd41e9e50487f93a6d872f9bdbe6d
2017-12-28 13:58:49:953 127.0.0.1 62018 127.0.0.1 21 test - - "logged out" - - - cd6fd41e9e50487f93a6d872f9bdbe6d

So, for example, to track uploaded files you would be looking for instances of sc-status field with "file uploaded" and for downloaded files you would be looking for instances of sc-status with "file downloaded". The field immediately following this field is the sc-message field and this contains the filename/path of the file that was transferred (read up to the ; delimiter).

(0 vote(s))
This article was helpful
This article was not helpful

Comments (0)
Post a new comment
 
 
Full Name:
Email:
Comments:
CAPTCHA Verification 
 
Please enter the text you see in the image into the textbox below. This is required to prevent automated registrations and form submissions.

Help Desk Software by Kayako fusion