HTTP Methods in logs?

Derek_Davenport · ‎2018-05-03

Sorry if I missed the answer to this question in documentation or forums...I promised I've tried to find the answer.

In the URL Filtering and/or Application Control blades is there a way to add the "HTTP method" (eg POST, GET, PROPS, OPTIONS) to the log and more specifically to the log that can be ingested by a 3rd party SIEM?

Thanks for any guidance!

PhoneBoy · ‎2018-05-03

You must log the traffic with Extended Logging to get that information.

You will find it in the Session tab of the Log card:

I presume if we log it, it will also be sent to a SIEM as well, particularly if you're using Log Exporter.

See Log Exporter guide‌ for more details.

Derek_Davenport · ‎2018-05-07

Thanks Dameon Welch Abernathy‌. I changed the log type to this in the URL/Application control blade, but I am still not seeing this value in the URL filtering log I am getting.

Does this only work on the Application Control blade? Was it added in a recent version? Is there a way to tweak what is logged in "Extended Logging" ?

PhoneBoy · ‎2018-05-07

You must have App Control/URL Filtering enabled for this to work, both on the gateway and, R80+, the relevant layer.

What is logged by Extended Logging is determined by what blades are active on the relevant gateway and layer.

Derek_Davenport · ‎2018-05-07

Thanks! I think R80 is my current stumbling block. We are migrating to R80.10 gateways in the next few weeks...so I'll be able to verify then. Thanks!!!!!

PhoneBoy · ‎2018-05-07

This should also work in R77.30 as well, though it's in the App Control layer you use Extended Logging.

Are you a member of CheckMates?

HTTP Methods in logs?