After creating a new access log and creating a new rule in the web access layer policy to log data, no data is seen on Symantec ProxySG or Symantec Advanced Secure Gateway (ASG).
There are two known causes for data not being displayed in a new access log
Due to the way policy processing works in-regards to access logs all data will be sent to the first access log action defined in a web access layer. So, if we have two access log rules in a single web access layer data will only be sent to the first access log rule. No other rules within that layer will be parsed as the policy processing engine will proceed to the next layer in the list.
If filters are applied to an access log rule in the web access layer that is not correctly defined the access log will not receive any data. This can be a source object defined to restrict only particular requests from certain users or subnets, therefore, less data is being sent to this access log. This is beneficial when looking to record traffic from certain users while not recording traffic from all other's users. However, if made to specify the access log may not contain any data if those users are not active.
We recommend creating a new Web Access Layer and, in that layer, creating a single rule that will send data to a single access log. For example, if we have created three new access logs in the Visual Policy Manager (VPM) we would create three new Web Access Layers and we would create only one rule that logs data to each specific access log. There will be no other rules present in these Web Access Layers as it's strictly for logging data to the access log only.
Remove all filters for this particular access log and then slowly re-add the filters to rule out the anomalous object causing the issue. As well to note that if utilizing user objects or group objects authentication will need to be enabled for that to be properly leveraged as a filter or there will be no data sent to the access log. If authentication is disabled transactions will never match the former objects due to the fact we do not have the end user's user name and/or group name(s).
Subscribing will provide email updates when this Article is updated. Login is required.