Have an account?

  •   Personalized content
  •   Your products and support

Need an account?

Create an account

Cisco ScanCenter Administrator Guide, Release 5.2

Book Contents
Find Matches in This Book
Available Languages
Download Options

Book Title

Cisco ScanCenter Administrator Guide, Release 5.2

Chapter Title

Log Extraction

Results

Updated:
February 16, 2021

Chapter: Log Extraction

Log Extraction

Overview

Cisco ScanCenter allows you to extract your data logs from the Cisco Cloud Web Security storage architecture. Configure secure and fully automated extraction of your web usage data for import and analysis using your SIEM platform S3-compatible Application Programming Interface (API). The log extraction service uses Amazon Simple Storage Service (S3) protocol only for the purpose of API compatibility; it does not use Amazon Web Services.

Data logs:

  • compiled in World Wide Web Consortium (W3C) text format

  • tab delimited with UTF-8 encoding

  • placed in a dedicated storage bucket assigned to your company for your secure extraction

  • allows you to choose what data you want to pull and when you want to extract the data

  • typically available within 15 minutes after the event

  • files deleted after five days

Note:

  • If you have anonymization rules in place, all anonymized fields will also apply in the extracted log data.

  • Visibility of the data in HTTPS traffic will be the same as in the WIRe reports.

  • All accounts within the delegated administration hierarchy log data to the same location. Account details are visible in the primary account.

  • Child account data consolidated into a single bucket. Reporting attribute x-ss-company-id used to identify child accounts.

Reporting Attributes

25 commonly-used reporting attributes are included in the data logs. Four optional attributes can also be included.

The field prefixes are:

  • c—client

  • s—server

  • cs—client to server

  • sc—server to client

  • x-ss—Cisco Cloud Web Security custom field


Note

The contents of the majority of attributes are normalized to lower case. However, for some attributes you may wish to view the original string as entered by the user. Attributes listed with “Original” in parentheses are available in normalized and original form.

datetime

Date and time

c-ip

Client IP address

cs(X-Forwarded-For)

Value of the X-Forwarded-For header

cs-username

(Original) Username logged in the form of WinNT://<username> or a custom text name

cs-method

(Original) Request method: CONNECT, GET, POST

cs-uri-scheme

Referrer protocol: FTP, HTTP, HTTPS

cs-host

(Original) Host part of the URL string; for example, in news.example.com/sport the host is news.example.com

cs-uri-port

Port number of web request

cs-uri-path

Path part of the URL string; for example, in news.example.com/sport the path is /sport

cs-uri-query

Query part of the URL string; for example, in http://www.example.com/search?hl=en&q=free+screensavers&btnG=Example+Search&meta=&aq=f&oq= the query is hl=en&q=free+screensavers&btnG=Example+Search&meta=&aq=f&oq=

cs(User-Agent)

(Original) Complete user agent string; for example, Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1) (more information on user agent strings can be found at http://www.useragentstring.com/pages/useragentstring.php)

cs(Content-Type)

(Original) Request content type; for example, image/gif, application/pdf, text/html, application/EDI-X12

cs-bytes

Bytes sent

sc-bytes

Bytes received

sc-status

Response Status Code; for example, to find all web requests to pages that did not exist, you can filter by 404 (more information on status codes can be found at http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html)

sc(Content-Type)

(Original) Response content type

s-ip

Destination IP address

x-amp-score

(Optional) AMP score of the request, if available

x-amp-sha

(Optional) Request/response SHA256 for the executable/PDF

x-avc-app

(Optional) Human readable AVC application name

x-avc-app-id

(Optional) AVC application ID, if detected

x-ss-category

Web filtering category; the category codes that apply to the x-ss-category reporting attribute are:

Code Description Code Description Code Description
c:adlt Adult c:game Games c:pnet Professional Networking
c:adv Advertisements c:gov Government and Law c:pol Politics
c:alc Alcohol c:hack Hacking c:porn Pornography
c:art Arts c:hate Hate Speech

c:prnm

Paranormal
c:astr Astrology c:hlth Health and Nutrition (deprecated 02/08/2021)

c:pvpn

Personal VPN
c:auct Auctions

c:hmed

Health and Medicine

c:reci

Recipes and Food
c:aud Streaming Audio

c:hunt

Hunting

 c:ref Reference
c:busi Business and Industry

c:ilac

Illegal Activities

 c:rel Religion

c:cach

Web Cache and Archives

c:ildl

Illegal Downloads

 c:rest Real Estate

c:cann

Cannabis

 c:img Photo Search / Images

c:saas

Saas and B2B
c:card Digital Postcards c:infr Infrastructure and Content Delivery

c:sci

Science and Technology
c:cell Mobile Phones

c:iot

Internet of Things

 c:scty Society and Culture
c:chat Chat and Instant Messaging c:job Job Search

c:serv

Cloud and Data Centers
c:comm Online Communities c:kids Safe for Kids c:shop Shopping
c:comp Computers and Internet

c:ling

Lingerie and Swimsuits

c:shrt

URL Shorteners

c:cryp

Cryptocurrency

 c:lol Humor c:snet Social Networking
c:csec Computer Security

c:lotr

Lotteries

 c:socs Social Science
c:date Dating

c:mail

Web-based E-mail

 c:sprt Sports and Recreation

c:ddns

Dynamic DNS Provider

c:meet

Online Meetings

 c:srch Search Engines and Portals

c:diy

DIY Projects

c:mil

Military

 c:swup Software Updates

c:docs

Online Document Sharing and Collaboration

c:mine

Cryptomining

 c:sxed Sex Education

c:doht

DoH and DoT

c:muse

Museums

c:terr

Terrorism and Violent Extremism
c:drug Illegal Drugs c:natr Nature (deprecated 02/08/2021) c:tob Tobacco
c:dyn Dynamic / Residential

c:ncon

Nature and Conservation

 c:trad Online Trading
c:edu Education c:news News c:tran Web Page Translation
c:ent Entertainment

c:ngo

Non-governmental Organizations

 c:trns Transportation

c:expo

Conventions, Conferences, and Trade Shows

 c:nsn Non-sexual Nudity c:trvl Travel
c:extr Extreme c:osb Online Storage and Backup

c:tunn

DNS Tunneling
c:fash Fashion c:p2p Peer File Transfer c:vid Streaming Video
c:filt Filter Avoidance c:park Parked Domains c:voip Internet Telephony
c:fnnc Finance c:pem Organizational E-mail c:weap Weapons
c:food Dining and Drinking c:pers Personal Sites c:whst Web Hosting
c:free Freeware and Shareware

c:pets

Animals and Pets

 unclassified Unclassified
c:fts File Transfer Services

c:piah

Private IP Addresses as Host
c:gamb Gambling c:plag Cheating and Plagarism

x-ss-last-rule-name

(Original) Policy rule name

x-ss-last-rule-action

Five rule actions to choose from: allow, authenticate, block, warn, inspect

x-ss-block-type

Type of block or pattern, specified in the filter, that generated the block

x-ss-block-value

String value that matched the block pattern

x-ss-referrer-host

(Original) Host part of the referrer URL string; for example, in news.example.com/sport the host is news.example.com

x-ss-external-ip

External IP address that Cisco Cloud Web Security gets from the customer (also known as the egress IP address); can also be the subnet of the external IP address (also known as the egress IP address subnet)

x-ss-company-id

Child Company ID

Issuing a Key Pair

Issue a key pair from the Log Extraction page in Cisco ScanCenter. Copy both keys into your SIEM platform S3-compatible API to enable extraction of data logs from your assigned bucket.


Note

We do not provide technical support for configuring SIEM devices or third-party products. In the event of an issue, consult the vendor-specific support team.

Before you begin

  • The log extraction service must be enabled and provisioned for your company.

  • Only your super user administrator can access the Log Extraction page.

Procedure

Step 1

Click the Admin tab to display the administration menus.

Step 2

In the Your Account menu, click Log Extraction to display the Log Extraction page.

Step 3

In the Bucket column of the Connection Details area, a dedicated bucket with a unique name based on your Company ID is created to hold your private data.

Step 4

In the Actions column of the Credentials area, click the Issue Key button.

Step 5

In the Warning dialog box, click the Issue & Download button.

Step 6

Save the resulting CSV file named keypair.csv to your downloads folder. The Access Key will be updated to show the generated key ID, but the secret key is not displayed anywhere in Cisco ScanCenter for the purpose of security. To maintain privacy, Cisco Customer Support will not ask for the secret key.

Step 7

Open the saved CSV file named keypair.csv to view your accessKey and secretKey. The accessKey is a 20-character string, while the secretKey is a 40-character string.

Step 8

(Optional) The Log Extraction Attributes area lists some additional attributes you may select to add to exported logs. Additional services may need to be activated to see data in these fields. Click Save.

Attribute Field Name

Description

x-avc-app-id

AVC application ID, if detected

x-avc-app

Human readable AVC application name

x-amp-score

AMP score of the request, if available

x-amp-sha

Request/response SHA256 for the executable/PDF

What to do next

Copy the pair of keys into your API client and configure it for extraction.

For example, s3cmd is a free command-line tool that can be used as a client to test connectivity to the log extraction service.

After downloading and installing the s3cmd tool, edit the following variables in the s3cmd configuration file:

  • Set access_key to your accessKey

  • Set secret_key to your secretKey

  • Set host_base to vault.scansafe.com

  • Set host_bucket to %(bucket)s.vault.scansafe.com

  • Set use_https to True

  • Set signature_v2 to True

As an example result, the variables would then appear as:

  • access_key=12345678901234567890

  • secret_key=1234567890123456789012345678901234567890

  • host_base=vault.scansafe.com

  • host_bucket=%(bucket)s.vault.scansafe.com

  • use_https=True

  • signature_v2=True


Note

The %(bucket)s.vault.scansafe.com value in the host_bucket variable does not use your dedicated bucket name.

For information on how to use the s3cmd tool, see:

http://s3tools.org/usage

http://s3tools.org/s3cmd-howto

http://s3tools.org/s3cmd-sync


Note

Only read commands are allowed to access your bucket. For example, the ls, get, debug, sync, and info read commands are allowed, while the put write command is not allowed.


Note

If the client application being used to access the Log Extraction API sends requests through the Cisco Cloud Web Security service, it may be challenged for authentication. If the client application is unable to respond to the authentication challenge correctly, the requests to the Log Extraction API will be blocked by the Cisco Cloud Web Security service. In this case, allow the client application direct access to the Log Extraction API by adding an exception for the URL vault.scansafe.com on TCP port 443.

Was this Document Helpful?

FeedbackFeedback

Contact Cisco

Related Cisco Community Discussions

About Us
Contact Us
Work with Us