HTTP Proxy Header Logging

The proxies in SunScreen 3.2 produce a number of log events which are useful to the WebTrends Firewall Suite (WFS), (via the welfmt utility.) However, the default set of HTTP protocol header items logged by the HTTP proxy do not, by default, include several header items which extend the usefulness of the reports generated by WFS.

For backward-compatibility reasons, the default set of HTTP header items logged remains largely as in previous releases of SunScreen. To accommodate the needs of WFS users, the HTTP proxy has been augmented to enable additional header items to be mapped into its log events.

Configuration of this mapping facility is controlled by a pair of variables, one to control HTTP request headers, the other to control HTTP response headers. The requests header mappings are tailored by:

• sys=Screen (optional)

• prg=httpp

• name=LogRqsts

• values={ hdrmaps }

• description="descriptive text"

• enabled | disabled (as initially configured, it is disabled)

The response header mappings are tailored by:

• sys=Screen (optional)

• prg=httpp

• name=LogRsps

• values={ hdrmaps }

• description="descriptive text"

• enabled | disabled (as initially configured, it is disabled)

The hdrmaps portion is a list of one or more of the following:

• group="WELF"

• name="namestr"

• name="!namestr"

• prefix="prefixstr"

• prefix="!prefixstr"

• suffix="suffixstr"

• suffix="!suffixstr"

group="WELF" enables all headers useful to WFS (either request or response, depending upon the variable in which they appear). Other forms specify the full header names (name=...), header prefix strings (prefix=...), or header suffix strings (suffix=...) to map on an individual basis. Forms with an exclamation point (!) represent negating the sense of the match.

Mappings are processed in the order in which they occur in the values={ ... } list. Specific matches should appear before more general ones.

Enabling a mapping causes the header(s) which match to be promoted into the NOTICE log events, thus retaining their values in the SunScreen log.

Both variables -- LogRqsts and LogRsps -- are pre-defined. If you display their install-time values, you see:

admin% ssadm -r primary edit Initial
edit> vars print prg=httpp name=LogRqsts
PRG="httpp" NAME="LogRqsts" DISABLED VALUES={ group="WELF" } 
 DESCRIPTION="request headers to log"
edit> vars print prg=httpp name=LogRsps
PRG="httpp" NAME="LogRsps" DISABLED VALUES={ group="WELF" } 
 DESCRIPTION="response headers to log"

Note that the variables must be changed to ENABLED to log headers optimal to WFS reporting.