cancel
Showing results for 
Search instead for 
Did you mean: 
michael-s-w
Level 9

McAfee WebReporter and LogFiles

Hi,

some weeks ago we started with WebGateway 7 and finished configuration in the main parts. But it do not run in real buisiness now, this will happen in the next quarter of this year. Parallel to the introduction of WebGateway we had to configure the new WebReporter - the version here is 5.2.0.01 Build 1096.

After some problems and difficulties everything is running fine now... BUT it seems, that WebReporter can not recognize the information in the LogFiles. After running the job, WebReporter notifys, that everything wents fine and finishes with 100%. But -for example- Log Records proceed 3.539, elapsed time 0 seconds and recognized mistakes 3.538. This numbers did have at every attempt the same proportions, the recognized mistakes did have every time one less than the proceed LogRecords. See the Screenshot (in German), too.

I think the problem is in the LogFile-configuration on the side of the WebGateway-Appliances. But perhaps I am wrong.

If anyone knows an answer please be so kind to write it in this posting.

Regards

Michael S-W

0 Kudos
8 Replies
asabban
Level 17

Re: McAfee WebReporter and LogFiles

Hello Michael,

I think your assumption is right. Something in the log file structure is not accepted by Web Reporter. Are you able to provide a few lines of your access.log?

Best,

Andre

0 Kudos
michael-s-w
Level 9

Re: McAfee WebReporter and LogFiles

Hi Andre,

I prepared a screenshot, but I think, I have no possibility put in an answer to your response. So I copied some lines as you propse.

First you see the header:

#src_ip "auth_user" time_stamp "req_line" status_code bytes_from_client bytes_to_server bytes_from_server bytes_to_client "user_agent" "attribute" "media_type" “user_defined_policy” "virus_name" "dom" "policy"  “current_rule_name”

And now some rows:

172.16.XX.XX [28/Jun/2011:14:32:31 +0200] GET http://redir.metaservices.microsoft.com/redir/allservices/?sv=5&version=12.0.7601.17514&locale=407&u... HTTP/1.1 407 477 0 0 3127 Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET CLR 1.1.4322; .NET4.0C; .NET4.0E; Windows-Media-Player/12.0.7601.17514) 0  0    Requesting NTLM-Agents

172.16.XXXX[28/Jun/2011:14:32:31 +0200] GET http://redir.metaservices.microsoft.com/redir/allservices/?sv=5&version=12.0.7601.17514&locale=407&u... HTTP/1.1 407 561 0 0 3427 Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET CLR 1.1.4322; .NET4.0C; .NET4.0E; Windows-Media-Player/12.0.7601.17514) 0  0    Requesting NTLM-Agents

172.16.XXXX xxxx [28/Jun/2011:14:32:31 +0200] GET http://redir.metaservices.microsoft.com/redir/allservices/?sv=5&version=12.0.7601.17514&locale=407&u... HTTP/1.1 302 1193 523 721 792  0  0  STADT W-Allgemein Allow URLs that Matches in List Response Whitelist in Cycle Response

172.16.XXXX xxxx [28/Jun/2011:14:32:31 +0200] GET http://onlinestores.metaservices.microsoft.com/serviceswitching/AllServices.aspx?sv=5&version=12.0.7... HTTP/1.1 200 506 545 865 955  0  0  STADT W-Allgemein Allow URLs that Matches in List Response Whitelist in Cycle Response

172.16.XXXX xxxx [28/Jun/2011:14:32:33 +0200] GET http://images.windowsmedia.com/svcswitch/MG_de-de.xml HTTP/1.1 200 380 485 167 1422  0 text/xml 0  STADT W-Vollzugriff-URL-Category FIN

172.16.XXXX [28/Jun/2011:14:32:57 +0200] GET http://crl.microsoft.com/pki/crl/products/WinPCA.crl HTTP/1.1 407 174 0 0 2826 Microsoft-CryptoAPI/6.1 0  0    Requesting NTLM-Agents

172.16.XXXX [28/Jun/2011:14:32:57 +0200] GET http://crl.microsoft.com/pki/crl/products/WinPCA.crl HTTP/1.1 407 258 0 0 3142 Microsoft-CryptoAPI/6.1 0  0    Requesting NTLM-Agents

172.16.XXXX xxxx [28/Jun/2011:14:32:57 +0200] GET http://crl.microsoft.com/pki/crl/products/WinPCA.crl HTTP/1.1 200 906 235 1014 1080  0  0  STADT W-Allgemein Allow URLs that Matches in List Response Whitelist in Cycle Response

172.16.XXXX [28/Jun/2011:14:33:28 +0200] GET http://crl.microsoft.com/pki/crl/products/CodeSigPCA.crl HTTP/1.1 407 294 0 0 2830 Microsoft-CryptoAPI/6.1 0  0    Requesting NTLM-Agents

172.16.XXXX [28/Jun/2011:14:33:28 +0200] GET http://crl.microsoft.com/pki/crl/products/CodeSigPCA.crl HTTP/1.1 407 378 0 0 3146 Microsoft-CryptoAPI/6.1 0  0    Requesting NTLM-Agents

172.16.XXXX xxxx [28/Jun/2011:14:33:29 +0200] GET http://crl.microsoft.com/pki/crl/products/CodeSigPCA.crl HTTP/1.1 304 1026 355 227 293  0  0  STADT W-Allgemein FIN

172.16.XXXX [28/Jun/2011:14:33:29 +0200] GET http://mscrl.microsoft.com/pki/mscorp/crl/mswww(5).crl HTTP/1.1 407 292 0 0 2828 Microsoft-CryptoAPI/6.1 0  0    Requesting NTLM-Agents

172.16.XXXX [28/Jun/2011:14:33:29 +0200] GET http://mscrl.microsoft.com/pki/mscorp/crl/mswww(5).crl HTTP/1.1 407 376 0 0 3128 Microsoft-CryptoAPI/6.1 0  0    Requesting NTLM-Agents

172.16.XXXX xxxx [28/Jun/2011:14:33:29 +0200] GET http://mscrl.microsoft.com/pki/mscorp/crl/mswww(5).crl HTTP/1.1 304 1008 351 176 242  0  0  STADT W-Allgemein FIN

The big "X" 's stands for the rest of the IP, the small "x" 's instead of the name

greetings

Michael S-W

0 Kudos
asabban
Level 17

Re: McAfee WebReporter and LogFiles

Hello Michael,

I assume there is something wrong with one of the added rows. We just have to find out which one :-)

It seems that all of the quotation marks have been removed due to copy&paste so I assume they are present in the access.log. I just talked to Support and maybe some of the columns you are writing are not part of the Web Gateway logfile definition of Web Reporter. If you use the pre defined log formats this may be a problem and you may have to manually tell Web Reporter which row contains what values.

I think the easiest way would be to file an SR with support, and have them take a look into the Web Gateway set up and your Web Reporter configuration.

If possible attach

- a feedback file of the MWG

- a backup file of Web Reporter

- server.log and logparsing.log of Web Reporter

This should allow us to let you know what exact tweaks are required.

Best,

Andre

0 Kudos
michael-s-w
Level 9

Re: McAfee WebReporter and LogFiles

Hi Andre,

I feard you would write something like opening a SR. I hoped, it would have be a simple thing ;-(

By the way, there are even in the original no quotation-marks except in the header - perhaps this will be a little helpful!

Until soon and greetings from Wuppertal!

Nachricht geändert durch michael-s-w on 29.06.11 06:02:29 CDT
0 Kudos
asabban
Level 17

Re: McAfee WebReporter and LogFiles

Hi Michael,

do you have the SR number for me by any chance?

Thank you!

Andre

0 Kudos
michael-s-w
Level 9

Re: McAfee WebReporter and LogFiles

Hi Andre,

thank you for your help. I will submit you the SR via PN

Regards

Michael S-W

0 Kudos
Troja
Level 14

Re: McAfee WebReporter and LogFiles

Hi all,

is there a default RuleSet available to use MWG 7.x with WebReporter?

Best, Thorsten

0 Kudos
sroering
Level 13

Re: McAfee WebReporter and LogFiles

Hello,

You should probably start new threads if the question doesn't match.  It will help other people find similar problems.

To answer your question,  Web Gateway comes with a default ruleset for the access log. The default works with Web Reporter. Is there something missing that you need help with?  Perhaps you could start a new thread and let us know what you are missing or expecting and we can help you get it corrected.

Troja wrote:

Hi all,

is there a default RuleSet available to use MWG 7.x with WebReporter?

Best, Thorsten

0 Kudos