cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Level 10
Report Inappropriate Content
Message 1 of 5

Rule hits

Hi,

would like to know if we can enable hits in MWG to find out which rules are used heavily and unused ones. plz advise.

 

Thanks,

Sridhar

 

4 Replies
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 2 of 5

Re: Rule hits

Hello @chvgms ,

it is currently not possible, there is an open idea request for this feature already, please vote on it to get McAfee's attention: 

https://community.mcafee.com/t5/Enterprise-Customer-Product/Count-match-of-rules/idi-p/651345

There are two workarounds to check for triggered rules:

  • add PDStorage counters to each rule and dump then after a while
  • log FiredRules property and analyze the log with Splunk or a script

you can additonally use a EvaluatedRules property to find rules which were evaluated, but never triggered.

You can use Last.Rule property to find exit rules - the rules where the request was blocked or allowed, but it will not show the all processed rules in-between.

Rules.EvaluatedRules - List of all IDs of rules/rule sets, which have been evaluated
Rules.EvaluatedRules.Names - List of all name of rules/rule sets, which have been evaluated
Rules.FiredRules - List of all IDs of rules/rule sets, where the condition was true
Rules.FiredRules.Names - List of all names of rules/rule sets, where the condition was true

 

Edit: not Last.Rule but Rules.CurrentRuleName

Level 10
Report Inappropriate Content
Message 3 of 5

Re: Rule hits

voted, thx
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 5

Re: Rule hits

Hi,

Hope you are doing well.

We have 4 below properties as well:-
 
Rules.EvaluatedRules
Rules.EvaluatedRules.Names
Rules.FiredRules
Rules.FiredRules.Names
 
Below are few links on this for your reference:-
 
 
 
 
You can also log Rules.CurrentRuleSetName" and "Rules.CurrentRuleName", these two properties in access.log to log rule names.
 

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

 

 
Regards
Alok Sarda
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 5 of 5

Re: Rule hits

Hi Sridhar, 

If you have ePO server on your environment you could go and install McAfee CSR (Content Security Reporter) Find on the highlighted link the Installation guide, in order to get your Proxy and ePO server synced on information.

Once you have installed CSR (if not already there) You can perform a Report / Query based on hits per rule names or other property following this steps:

1. ePO Menu > Queries & Reports

img1.png2. Go to McAfee Groups > CSR: Productivity – WEB

3. Select “Top Web Categories” (as an example) > Actions Duplicate and save

img2.png

 img3.png

 Select a Name a group and Click OK

img4.png

4. Go to the Group and select the recent created Query
Click Actions > Edit

img5.png

5. Select the type of Chart to Show (Bars, Pie Chart or Table), the “Sum of hits”

6. In this example you can use “Pie Chart” for “Rule Names” and Summary of “Hits”

img6.png

 

7. In the next Step you can select what information you need to show as this example:

img7.png

 

8. At the end of the settings you can filter for any setting you need or you can leave it blank to get all the information.

img8.png

9. Finally, you can save the Query, and

10.Run the Report.

This is an example using pi chart, you can use Bars or Tables if needed and also can play around with the options.

If you need further information you can check how to customize reports. on this Link

Hope it's helps!

Patricio Briceño

 

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community