PROPOSAL: schema for proxy superservice

Francis J. Lacoste francis.lacoste at Contre.COM
Wed Jan 9 22:58:24 CET 2002 

Proposal for the Proxy superservice schema
------------------------------------------

Next release should include the proxy superservice. Several proxies
can be supported in the initial release since we have code that can be
adapted for squid, WELF (several firewalls) and W3C-Extended (MS
Proxy).

After rewiewing squid log format (as described on
http://www.squid-cache.org/Doc/FAQ/FAQ-6.html), WELF and W3C-Extended
(used by MS ISA Server), I also found documentation for MS-Proxy.

This schema should also be used for connection proxy (like SOCKS).
Most proprietary firewalls (you know those softwares that do
everything) will do packet filters, socks type of proxying, HTTP
proxying, cache, etc.

The following fields convers all informations available across those
format:

timestamp    - timestamp of the request
client_ip    - ip address of the client
client_host  - hostname of the client
user	     - authenticated user
duration     - time spent on the request

cache_result - Result code for the cache TCP_MISS, TCP_HIT, etc.
	       List is available on Squid page.

req_result   - HTTP result of the request

protocol     - Protocol of the requests: ftp, http, https, telnet, etc.
transport    - UDP or TCP (will be TCP most of the time, but important
	       for UDP socks).

dst_ip	     - IP of the destination 
dst_host     - Hostname of the destination, that will be the website

operation	- HTTP method
requested_url	- URL requested on the server

bytes	     - Bytes transferred
type	     - MIME type for HTTP requests.

rule	     - Reference to the configuration rule that allowed or
	       denied the request.

The following fields are used in the case of cache.
The result src is from where the object was fetched (local cache, parent
cache, peer cache, original host, etc.)

result_src_code - Code qualifying the next two fields. (i.e. NONE,
		  DIRECT, PARENT_HIT, etc.)
result_src_ip   - IP address of the server where the request 
result_src_host - Hostname of the server that gave the source.

The following fields are supported by WELF for web proxies that do
content analysis.

cat_site	- Category for the website.
catlevel_site   - Level can be 1 or 2. 1 meaning "no no" categories. 2
		  meaning "family fun" categories.

cat_page	- Same as above, but for the actual page.
catlevel_page

I think this will covers most information we get from proxies. And we
can have a lot of interesting reports from that.

-- 
Francis J. Lacoste
francis at Contre.COM
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 232 bytes
Desc: not available
Url : http://lists.logreport.org/pipermail/development/attachments/20020109/c130d829/attachment.bin

More information about the Development mailing list