Using statistics counters for Web Gateway 7 monitoring

Version 1


    Explanation:

     

    The McAfee Web Gateway has a variety of statistics counters that can be used for monitoring.  There are a variety of available counters.  There are three 'groups' of counters: - System - Content - Traffic

    There are a variety of ways to 'use' the counters.  This guide will cover a typical 'monitoring' type of use case.


    This example will use the Web Gateway's 'error handler', and Incident ID number 5.  (See more information about incidents here: https://community.mcafee.com/community/business/email_web/webgateway/blog/2011/0 5/18/have-you-ever-wondered-what-incidents-inside-mwg-are)

     

    Incident ID 5 is an incident that 'fires' every minute. As such, it is a useful way to trigger statistics monitoring, and then react on it (i.e. send a notification email, or signal a syslog server, etc.)

     

    An example use case is to send a notification message when a counter reaches a certain threshold, say when CPU use percentage is above 95%. (available statistic counters can be found in the table at the end of this document)

     

    The procedure below discusses the use case mentioned above in detail.  This can be used as a framework for capturing any other desired monitoring statistics. 

     

     

    Procedure:

     

    Navigate to 'Policy' -> Rule Sets (tab) -> Error Handler.

     

    Within the desired Error Handler setting container (typically the 'Default' error handler setting container)

     

    Then, click to 'add' a rule set from the rule set library.

     

    Locate the "Monitoring" rule within the Rule Set Library.

     

    Typically, you will want to locate that rule set to be near the top of Error Handler list of rule sets.

     

    Be sure 'Show Details' is selected in the main pane.


    Click to select the new top level Montitoring rule set, and make note of the rule set criteria: 


    Incident.ID equals 5

     

    Click to select the 'Check CPU Overload' rule set.  There, please note rule set criteria for this rule set:  Statistics.Counter.GetCurent("CPULoad")<Default> greater than or equals 95. You will note that "CPULoad" is the statistic counter for this particular rule set.  If you click to 'edit' that rule set criteria, you'll note that 'CPULoad' is a simple text value specified.  The names of the available counters can be found in the table at the end of this document.

     

    Next, within that rule set, click to select the 'Create Notification Message'.  As can be seen, an event is used to 'generate' the 'notification' message.

     

    After, there are four additional rules.  Each allow for a different type of message to be sent: SNMP, Syslog, Email, or simply writing to a log file.

     

    Simply enable the desired rule(s) depending upon notification type.

     

     

     

    Statistics within Web Gateway version 7

    Name

    Type

    Description

    System - Statistics

    ApplicationMemoryUsage

    TS (Avg)

    Memory usage in percent from MWG applications

    ConnectedSockets

    TS (Avg)

    Number of currently open sockets of the proxy

    CPUIdle

    TS (Avg)

    Percentage of the CPU in idle state

    CPULoad

    TS (Avg)

    Percentage of the CPU utilization

    CPUSystem

    TS (Avg)

    Percentage of CPU usage not consumed by MWG applications

    CPUUser

    TS (Avg)

    Percentage of CPU usage consumed by MWG applications

    FilesystemUsage

    TS (Avg)

    Percentage of usage of the installation partition of MWG

    HarddiskUsage

    TS (Avg)

    Percentage of usage of the complete hard disk

    MemFree

    TS (Avg)

    Total amount of free memory in bytes

    MemoryUsage

    TS (Avg)

    Memory usage in percent

    MemUsed

    TS (Avg)

    Total amount if used memory in bytes

    NetworkBytesReceived

    TS (Avg)

    Received number of bytes per second

    NetworkBytesSent

    TS (Avg)

    Transmitted number of bytes per second

    StatDBSize

    TS (Avg)

    Size of statistic database in bytes

    SwapFree

    TS (Avg)

    Free Swap Space in bytes

    SwapUsed

    TS (Avg)

    Used Swap Space in bytes

    WebCacheDiskUsage

    TS (Avg)

    Percentage of usages of cache partition

    WebCacheHits

    TS (Total)

    Number of cache hits

    WebCacheMisses

    TS (Total)

    Number of cache misses

    WebCacheObjectsCount

    TS (Avg)

    Number of objects in web cache

    Content - Statistics

    BlockedByAntiMalware

    TS (Total)

    Number of blocked transactions by Anti-Malware process

    BlockedByURLFilter

    TS (Total)

    Number of blocked transactions by URL filter

    BlockedByMediaFilter

    TS (Total)

    Number of blocked transactions by media filter

    CertExpired

    TS (Total)

    Number of detected expired certificates

    CertNameMismatch

    TS (Total)

    Number of certificates with name mismatch

    CertUnresolvable

    TS (Total)

    Number of unresolvable certificate chains

    CertWildCardMatch

    TS (Total)

    Number of certificates the matched a wildcard in rule

    ConnectionsBlocked

    TS (Total)

    Number of blocked connections

    ConnectionsLegitimate

    TS (Total)

    Number of legitimate connections

    Categories

    TS (Total)

    Number of detected categories

    MalwareDetected

    TS (Total)

    Number of detected malware objects

    MT.Archive

    TS (Total)

    Number of detected archives

    MT.Audio

    TS (Total)

    Number of detected audio files

    MT.Document

    TS (Total)

    Number of detected documents

    MT.Executable

    TS (Total)

    Number of detected executables

    MT.Image

    TS (Total)

    Number of detected images

    MT.Stream

    TS (Total)

    Number of detected streams

    MT.Text

    TS (Total)

    Number of detected text files

    MT.Video

    TS (Total)

    Number of detected videos

    RepHighRisk

    TS (Total)

    Number of pages with reputation: high risk

    RepMediumRisk

    TS (Total)

    Number of pages with reputation: medium risk

    RepMinimalRisk

    TS (Total)

    Number of pages with reputation: minimal risk

    RepUnverified

    TS (Total)

    Number of pages with reputation: unverified

    Traffic - Statistics

    FtpRequests

    TS (Total)

    Number of FTP requests

    FtpTraffic

    TS (Total)

    FTP traffic in bytes from Proxy to Internet

    FtpBytesFromClient

    Single

    FtpBytesFromServer

    Single

    FtpBytesToClient

    Single

    FtpBytesToServer

    Single

    HttpBlocked

    TS (Total)

    Number of blocked HTTP(S) requests

    HttpLegitimate

    TS (Total)

    Number of legitimate HTTP(S) requests

    HttpRequests

    TS (Total)

    Number of HTTP requests

    HttpTraffic

    TS (Total)

    HTTP traffic in bytes from Proxy to Internet

    HttpBytesFromClient

    Single

    HttpBytesFromServer

    Single

    HttpBytesToClient

    Single

    HttpBytesToServer

    Single

    HttpsRequests

    TS (Total)

    Number of HTTPS requests

    HttpsTraffic

    TS (Total)

    HTTPS traffic in bytes from Prxy to Internet

    HttpsBytesFromClient

    Single

    HttpsBytesFromServer

    Single

    HttpsBytesToClient

    Single

    HttpsBytesToServer

    Single

    ICAPReqmodTraffic

    TS (Total)

    Number of bytes transfered in ICAP reqmod

    ICAPRespmodTraffic

    TS (Total)

    Number of bytes transfered in ICAP respmod

    ICAPReqmodRequests

    TS (Total)

    Number of requests in ICAP reqmod

    ICAPRespmodRequests

    TS (Total)

    Number of requests in ICAP respmod