Event Details
User Activity->Network and Firewall Tracking->Juniper SRX->URL Blocked
URL Blocked
 Sample: 
Jun 23 14:02:19  firewall utmd[1038]: WEBFILTER_URL_BLOCKED: WebFilter: ACTION="URL Blocked" 10.10.10.10(51916)->194.71.107.15(80) CATEGORY="Remote_Proxies" REASON="by predefined category" PROFILE="surf-control" URL=thepiratebay.com OBJ=/favicon.ico
Log Type: Generic Syslog
 Uniquely Identified By:
OS Type: Any
Filtering RegExp: ^(?:<(\d{1,2}|1[0-8]\d||19[01])>)?(\d*)?\s*((?:Jan|Feb|Mar|Apr|May|Jun|Jul|Aug|Sep|Oct|Nov|Dec) (?:\d|[12]\d|3[01]) (?:[01]\d|2[0-3]):[0-5][0-9]:[0-5][0-9])?\s+(\w+)\s+(\w+)\s?\[?(\d+)\]?:? (WEBFILTER_URL_BLOCKED):? (?:\[junos@2636\.((?:\d+\.){4}\d+).*\] )?(WebFilter: ACTION="(URL Blocked)" ((?:\d{1,3}\.){3}\d{1,3})\((\d+)\)->((?:\d{1,3}\.){3}\d{1,3})\((\d+)\) CATEGORY="([^"]*)" REASON="([^"]*)" PROFILE="([^"]*)" URL=([^ ]+) OBJ=(.*))
Field Matching
FieldDescriptionStored inSample Value
When At what date and time a user activity originated in the system. DateTime
Who Account or user name under which the activity occured. - SomeUser
What The type of activity occurred (e.g. Logon, Password Changed, etc.) Action URL Blocked
Where The name of the workstation/server where the activity was logged. Computer
Where From The name of the workstation/server where the activity was initiated from. SourceAddress 10.10.10.10
Severity Specify the seriousness of the event. Severity
WhoDomain -
WhereDomain -
Comments
You must be logged in to comment