We've integrated Trend micro webproxy device with RSA SA Netwintess (10.6.2.0).
It forwards the same log under two different types. For e.g. if user A accessed website B then 2 different logs are generated with the exact time stamp. 1)Event URL Access Tracking 2)Event URL monitoring
Below are the samples:
EVT_URL_Access log can be of allowed/denied while EVT_URL_Monitoring is the log of allowed website.
So, we wanted to achieve that if user name, time and URL (with contains and ot exact) matches then capture bytes, source and destination from EVT_URL_ACCESS_TRACKING
URL with domain contains
Then write bytes, source, destination to Report/Chart etc which will be available from URL Access tracking logs.