Thanks again for the explanation I'm not changing the raw squid log, only the normalised event. I'm simply pulling out the url host (the FQDN) from the URL as my SIEM agent doesn't natively understand how to parse these CONNECT messages. It doesnt matter to me if CONNECT requests are not always https requests. For my purposes I need to compare the FQDN to a list of IOCs. If I have a use case specific to the use of CONNECT requests in the future, I still have all of that information as is, from the proxy. -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/https-log-message-formatting-help-tp4681994p4682048.html Sent from the Squid - Users mailing list archive at Nabble.com. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
