reporting

Unanswered Question
Dec 8th, 2007

Hello

I work for an goverment agency and we just got the appliance setup.What I need to be able to do is tell what people have visted what sites.I have been unable to see anywhere to run this kind of report.For example I need to be able to see what sites John Smith visited for say the month of december.

How would I do this?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Doc_ironport Sat, 12/08/2007 - 04:30

This level of detail is not available from the on-box reporting - basically the overhead of doing it is too great and could have a performance hit on the box.

To get the level of reporting you want you've got 2 options :

1. (Preferred!) Use Sawmill Reporter an as off-box reporting tool. IronPort OEM's and supports Sawmill, and you can download an eval version from the support portal (http://www.ironport.com/support/login.html -> "Web")

2. Use the logs from the appliance in another reporting package. By default the S-series logs using the industry defacto standard "Squid" log format (with a few extra fields for things like categories). These logs can be easily parsed by you, or by any 3rd party package that supports Squid.

In effect the first option is the same as the 2nd option, only we've done the hard work of configuring Sawmill for you so that it's pretty much plug-n-play, including support for the additional fields we add, plus a number of default reports.

cemccaskill_ironport Sat, 12/08/2007 - 04:56

This is a very important option and it was explained to me that this had a very robust reporting system built into and that I wouldnt have to purchase anything else.This for me is the most important feature as since I work for the goverment we have to know what users are going to what sites.While secuirty and filering is important the keeping track of where people go and the ease of getting that info is just as important and this appliance is advertised as a one box soloution.With everything you need in one appliance.

Doc_ironport Sun, 12/09/2007 - 23:20

it was explained to me that this had a very robust reporting system built into and that I wouldnt have to purchase anything else.


The S-series does have a very robust reporting system built in, and in many cases what it provides will be sufficient - at the end of the day it depends on what level of reporting you require, and what timeframe you need to be able to report on.

If you're after data on which categories of sites your users are browsing, on what days, from what IPs, etc then the on-box reporting will probably do everything you require. If you want to dig deeper then you have the option of either using the raw logs (eg, once you've determined from the on-box reporting that a user is accessing a particular category for site you can look in the logs to see exactly which site), or use an off-box reporting package such as Sawmill.
cemccaskill_ironport Mon, 12/10/2007 - 12:44

Thanks Doc and I haven’t yet install and tried Sawmill but I will and report back.Please remember I am just passing on real world situations that perhaps ironport would like to hear about so that they can improve there appliance. If not that cools I will shut up :D

I agree they do have a level of reporting but not a robust level. In today's world of everybody sues everybody if a user is abusing the companies web policy you must be able to tell the exact sites that user is visiting and how many times and for how long. You must be able to do this out of the box without having to go thru raw logs as this can be very time consuming for the admin.

I will give you an example. Let’s say you have a user that is viewing porn. The way it shows know it says x user was in the porn catergory.Now the HR department says that you must be able to prove which site there were at exactly and for how long in order to take any action. Know in order to do this you would have to either search through Raw logs or purchase third party software. For most big companies while it good to know the categories people are going to for statics in order to enforce a web browsing policy you have to be able to tell right away what sites people are visiting without digging through a bunch of raw logs.

Many web security/filtering appliance have this feature built in and I would think that it might be something that they might want to add in the furture.

qsnow_ironport Thu, 12/13/2007 - 14:35

The SawMill option will DEFINATELY give you what your looking for and more....

I configured my SawMill profile to FTP into the IronPort(s) and pull the logs down. There are a number of ways you can handle getting the reports into SawMill, but this was the easiest for us.

Also, remember to add the custom field variables into the Appliances logging.

(System Administrator - Log Subscriptions)

Click AccessLogs

In the "Custom Fields" section you need: %XC %Xn

Actions

This Discussion