How to copy the W3C specific log format from one log subscription or from one Cisco Web Security Appliance to another

Question

How to copy the W3C specific log format from one log subscription or from one Cisco Web Security Appliance to another.

Environment: Cisco Web Security Appliance (WSA) supporting W3C logs (AsyncOS version 6.0.0 and later)

Symptoms: A specific W3C log format (fields and their order) has been configured for a WSA. A second WSA is being set up and the same log format should be configured. The GUI does not offer a way to paste in values so you would need to manually recreate the log which might be time consuming.

Solution

You can obtain the configured W3C format string of a specific subscription using the CLI as follows (this assumes a W3C log subscription named w3clog1):

wsa> logconfig
Currently configured logs:
1. "accesslogs" Type: "Access Logs" Retrieval: FTP Poll
2. "authlogs" Type: "Authentication Framework Logs" Retrieval: FTP Poll
..........
..........
23. "updater_logs" Type: "Updater Logs" Retrieval: FTP Poll
24. "w3clog1" Type: "W3C Logs" Retrieval: FTP Poll
25. "wbnp_logs" Type: "WBNP Logs" Retrieval: FTP Poll
..........
..........
Choose the operation you want to perform:
- NEW - Create a new log.
- EDIT - Modify a log subscription.
- DELETE - Remove a log subscription.
- HOSTKEYCONFIG - Configure SSH host keys.
[]> EDIT

Enter the number of the log you wish to edit:
[]> 24

Please enter the name for the log:
[w3clog1]>

Enter the format string:
[timestamp x-elapsed-time c-ip x-resultcode-httpstatus sc-bytes cs-method
cs-url cs-username x-hierarchy-origin cs-mime-type x-acltag x-result-code
x-suspect-user-agent cs(Referer) cs(User-Agent)]>

In CLI -> logconfig -> edit, the exact configured W3C format string is displayed.

While you create a new W3C log subscription in the CLI (CLI -> logconfig -> NEW -> ...) on new or same WSA appliance, you can copy and paste the previous string to match the exact W3C configuration.

Revision History