How to copy the W3C specific log format from one log subscription or from one Cisco Web Security Appliance to another.
Environment: Cisco Web Security Appliance (WSA) supporting W3C logs (AsyncOS version 6.0.0 and later)
Symptoms: A specific W3C log format (fields and their order) has been configured for a WSA. A second WSA is being set up and the same log format should be configured. The GUI does not offer a way to paste in values so you would need to manually recreate the log which might be time consuming.
You can obtain the configured W3C format string of a specific subscription using the CLI as follows (this assumes a W3C log subscription named w3clog1):
Currently configured logs:
1. "accesslogs" Type: "Access Logs" Retrieval: FTP Poll
2. "authlogs" Type: "Authentication Framework Logs" Retrieval: FTP Poll
23. "updater_logs" Type: "Updater Logs" Retrieval: FTP Poll
24. "w3clog1" Type: "W3C Logs" Retrieval: FTP Poll
25. "wbnp_logs" Type: "WBNP Logs" Retrieval: FTP Poll
Choose the operation you want to perform:
- NEW - Create a new log.
- EDIT - Modify a log subscription.
- DELETE - Remove a log subscription.
- HOSTKEYCONFIG - Configure SSH host keys.
Enter the number of the log you wish to edit:
Please enter the name for the log:
Enter the format string:
[timestamp x-elapsed-time c-ip x-resultcode-httpstatus sc-bytes cs-method
cs-url cs-username x-hierarchy-origin cs-mime-type x-acltag x-result-code
x-suspect-user-agent cs(Referer) cs(User-Agent)]>
In CLI -> logconfig -> edit, the exact configured W3C format string is displayed.
While you create a new W3C log subscription in the CLI (CLI -> logconfig -> NEW -> ...) on new or same WSA appliance, you can copy and paste the previous string to match the exact W3C configuration.