Knowledgebase
What information is displayed in each column of a domain log file?
Posted by John Villanueva on 03 January 2018 07:39 PM

The fields or columns in a typical domain log file consists of the following information:

#Fields: date time c-ip c-port s-ip s-port cs-username cs-method cs-uri-stem sc-status sc-message cs-bytes sc-bytes sessionid

date - date of log entry
time - timestamp of log entry
c-ip - client IP address
c-port - client port
s-ip - server IP address
s-port - server port
cs-username - username
cs-method - client request
cs-uri-stem - client URL stem
sc-status - status response from server
sc-message - message from server
cs-bytes - bytes sent from client to server
sc-bytes - bytes sent from server to client
sessionid - unique session id

Fields where data is not available are represented by a "-". All fields are space delimited and enclosed by a quote where needed.

Below is a sample snippet of a domain log file showing the upload/download of a file named test.txt by the user "test"

2017-12-28 13:58:44:504 127.0.0.1 62018 127.0.0.1 21 test - - "logged in" - - - cd6fd41e9e50487f93a6d872f9bdbe6d
2017-12-28 13:58:46:637 127.0.0.1 62019 127.0.0.1 20 test - - "session started" "FTP upload" - - cd6fd41e9e50487f93a6d872f9bdbe6d
2017-12-28 13:58:46:645 127.0.0.1 62018 127.0.0.1 21 test - - "file uploaded" /test.txt;0;0 0 - cd6fd41e9e50487f93a6d872f9bdbe6d
2017-12-28 13:58:46:646 127.0.0.1 62019 127.0.0.1 20 test - - "session closed" "FTP upload" - - cd6fd41e9e50487f93a6d872f9bdbe6d
2017-12-28 13:58:48:832 127.0.0.1 62020 127.0.0.1 20 test - - "session started" "FTP download" - - cd6fd41e9e50487f93a6d872f9bdbe6d
2017-12-28 13:58:48:837 127.0.0.1 62018 127.0.0.1 21 test - - "file downloaded" /test.txt;0;0 - 0 cd6fd41e9e50487f93a6d872f9bdbe6d
2017-12-28 13:58:48:839 127.0.0.1 62020 127.0.0.1 20 test - - "session closed" "FTP download" - - cd6fd41e9e50487f93a6d872f9bdbe6d
2017-12-28 13:58:49:953 127.0.0.1 62018 127.0.0.1 21 test - - "logged out" - - - cd6fd41e9e50487f93a6d872f9bdbe6d

So, for example, to track uploaded files you would be looking for instances of sc-status field with "file uploaded" and for downloaded files you would be looking for instances of sc-status with "file downloaded". The field immediately following this field is the sc-message field and this contains the filename/path of the file that was transferred (read up to the ; delimiter).

(0 vote(s))
This article was helpful
This article was not helpful

Comments (0)
Post a new comment
 
 
Full Name:
Email:
Comments:
Help Desk Software by Kayako fusion