Log files overview Last updated: Thu, 02 Aug 2018 14:36:21 GMT EZproxy offers institutions multiple customizable log formats to record user activity. These logs can be helpful in identifying levels of proxy usage, security concerns, and general operational details. Customization through directives allows EZproxy administrators to refine what information they receive and how often they receive it. Log types The log files generated by EZproxy provide information only about remote users’ activity. The types of logs that can be generated by EZproxy are defined below. The settings described are the default settings for standalone EZproxy that are set in the config.txt file when EZproxy is first downloaded. Many of these options can be customized to fit the needs of your institution. For more information about customization options, see the tabs for each individual log and the related directives for these log types. Audit logs Audit logs are daily logs that contain information about your users’ access to EZproxy as specified by the conditions you set with the Audit directive. By default, the config.txt file you download with EZproxy is set to Audit Most, which will record most login events, usage limits, and others (see the Audit logs tab for more details). These log files are retained in a directory named audit which is a subdirectory of the EZproxy installation directory; you cannot redirect these files to be saved in another directory. However, you can customize your audit logs by specifying which events you would like EZproxy to record and how long you would like EZproxy to retain these files. Audit events can be viewed by logging in to the EZproxy administration page where you can search all files in audit directory. They can also be viewed in your operating system by opening the audit folder within the EZproxy installation directory. The information included in these logs can be helpful in monitoring and resolving security issues. EZproxy logs EZproxy logs are monthly logs that contain large amounts of data about the information sent between EZproxy and all the database providers you have configured in your config.txt file. These logs are retained by default in the EZproxy installation directory and named ezpyyyymm.log. You can change the name of this log, the directory where the information is retained, designate the periods of time over which an individual file collects information, and limit the type of information recorded in these logs by including certain directives in your config.txt file. The active log can be viewed and searched from your EZproxy administration page, and all ezproxy logs can be accessed directly from the EZproxy installation directory. The information included in these logs can be used to assess EZproxy usage and evaluate and resolve potential security threats. https://help.oclc.org/Library_Management/EZproxy/Manage_EZproxy/Log_files_overview 1 Printed: Wed, 21 Nov 2018 20:12:48 GMT message.txt logs The messages.txt file records daily operational information about each time EZproxy was started or stopped and fatal or non-fatal errors. This log also contains any messages resulting from debugging scripts generated by the Debug directive when included in your config.txt file. The messages.txt file is retained by default in the EZproxy installation directory and named messages.txt. You can change the name of this log, the directory where the information is retained, and designate periods of time over which an individual file collects information by editing the messages.txt log itself. The active log can be viewed and searched from your EZproxy administration page, and all messages.txt files can be accessed from your EZproxy installation directory. These logs can be useful in troubleshooting problems with EZproxy and verifying system details. SPU logs Starting Point URL logs record information about each time a starting point URL is clicked. Standalone EZproxy is not configured to create SPU logs by default when downloaded. When configured without specifying directory locations where SPU logs should be saved, EZproxy stores these files in the EZproxy installation directory with the name spu.log. You can specify different locations for these logs to be stored and refine the information they collect with the same configurations as EZproxy logs. These log files can only be viewed through your operating system viewer. This log can be used to determine how often remote users access certain resources. Audit logs Adding the Audit directive to your config.txt file will command EZproxy to create audit logs when specified events occur and save these files in the EZproxy installation directory. Individual files will be named the year, month, and day that the event occurred (e.g. 20140512.txt). The most common use of the Audit directive to command EZproxy to create audit logs is as follows: Audit Most This directive statement will create a log when any of the following events occur: • A user is denied accessed EZproxy • A user successfully logs in to EZproxy • A user has a failed attempt to log in to EZproxy • An intrusion attempt based on the IntruderIPAttempts or IntruderUserAttempts directive occurs • General system activities, such as system startup, occur • An unauthorized user attempts to access the administrative features of EZproxy • An event resulting from the UsageLimit directive occurs This is the default configuration in the config.txt file that is downloaded with EZproxy. For more details about further customization of the audit logs, see Audit. Audit logs can be accessed from the EZproxy admin page at any time. Logs that have been purged as a result of the AuditPurge directive will not be accessible. https://help.oclc.org/Library_Management/EZproxy/Manage_EZproxy/Log_files_overview 2 Printed: Wed, 21 Nov 2018 20:12:48 GMT Suggested Configuration By retaining the default Audit Most directive statement in your config.txt file, you will have the most commonly assessed security events recorded to your audit logs. To limit the amount of storage space your audit logs take up, the AuditPurge directive is also configured by default to 7 following the Audit statement so EZproxy will delete files after a specified period of time. This will keep only the audit logs for the current day plus the previous week and delete any files older than 7 days. OCLC suggests increasing the AuditPurge time period to 180, so that your config.txt file looks as follows: Audit Most AuditPurge 180 This change to the AuditPurge directive will cause EZproxy to retain the audit file for the current day plus the audit files of the previous 180 days, and delete any file older than 180 days. Retaining audit files for longer periods of time will provide you with a larger pool of information for review if you should need to access it. You can increase or decrease the purge number as you see fit to save disc space or ensure that you have the data you need should reporting requests or a security breach require you to reference it. When determining your how long to set your AuditPurge, consult with your IT department to ensure that your retention schedule complies with institutional policies for security and reporting purposes. Ezproxy.log EZproxy will automatically generate EZproxy logs and save them in a file named ezproxy.log in the directory where EZproxy is installed. The default command used to format data collected in the EZproxy log is as follows: LogFormat %h %l %u %t “%r” %s %b This will generate the following data in your EZproxy log: 132.174.1.1 - - [14 /Mar/2014:09:39:18 -0700] “GET http://www.somedb.com:80/index.html HTTP/1.0” 200 1234 The following table breaks down this line of data: CORRESPONDING VALUE IN FIELD DESCRIPTION EXAMPLE The IP address of the Host %h 132.174.1.1 accessing EZproxy The remote username obtained by %l - identd, ifidentd is not used, the a - will be recorded in your EZproxy log The username or session identifier, %u - based on other config.txt options https://help.oclc.org/Library_Management/EZproxy/Manage_EZproxy/Log_files_overview 3 Printed: Wed, 21 Nov 2018 20:12:48 GMT CORRESPONDING VALUE IN FIELD DESCRIPTION EXAMPLE [14/Mar/ The date and time the request was %t 2014:09:39:18-0700] made The complete http request sent to the remote server; this field is “GET contained in quotation marks so it is "%r" http://www.somedb.com:80/ parsed as one piece of data even index.html HTTP/1.0” though it contains spaces, since spaces are generally a signal that a new field of data is beginning The HTTP numeric status of the request (see LogFormat Status %s 200 Codes for more information about these numbers) %b 1234 The number of bytes transferred Note: If EZproxy is not able to collect the data denoted by a particular field, it will insert a dash for the missing information. For more details about these and additional fields that can be used to further customize this directive, see LogFormat. Suggested Configuration The default configuration in the standalone EZproxy config.txt file will provide you with monthly log files that contain data about all data transfers and requests sent through your instance of EZproxy. Depending on use levels, you might want to configure EZproxy to maintain daily instead of monthly log files so you can more quickly identify the location of the information you may need by date. This suggested configuration does not contain any LogFilters, but you may also want to consider whether the inclusion of filters to limit the volume of data collected would make your ezproxy logs more manageable and provide more focused information. See LogFilter for more details about this option. The following configuration will change your EZproxy logs to daily files instead of monthly: LogFormat %h %l %u %t "%r" %s %b LogFile -strftime ezp%Y%m%d.log Messages.txt EZproxy will automatically generate messages.txt logs and save them in files of the same name in the EZproxy installation directory.