One of the most frustrating things about working with the IronPort proxy servers is how difficult it is to view the log files. The logs are stored on the proxy server in text files – these are often multiple gigabytes in size – downloading takes an age, and opening them in Windows is next to impossible.
Fortunately, if you SSH to the management interface of the proxy, you can use grep to parse the IronPort proxy logs. I find it easier to tail the log file (that is, start from the end). This is no use for historic logs, but if you can ask the user to test while you have the tail of the log open, you can view their connection requests live.
The command for this is:
grep -t -e “text_to_search” accesslogs
The -t in this specifies to tail the logs. If you drop this, it will grep through the entire log file – this can take some time. The -e denotes the regular expression that is to follow – I generally stick the URL (or a portion of it) in to this. And accesslogs specifies that the log you wish to search is the access log. Log names can be found in the Web GUI.
If you use the -t option, it will hang and say “Ctrl-C to stop”. Perform the test while it is in that state, and you will see a log entry flash up.
The log entries are in standard quid format – a good description of that can be found here: http://proxyadvices.wordpress.com/2012/11/09/ironport-squid-log-interpretation/