cancel
Showing results for 
Search instead for 
Did you mean: 
mistert87
Level 7

Squid Log and Block Res in WebReporter

Jump to solution

Hello,

i'm using a native squid log file for WebReporter. I unlocked the Trusted Source Web Database that i can use Category and Reputation for Squid Logfiles.

This works really good.

But i want to use the Action function from webreporter too. With the squid log, it's not possible to distinguish between a blocked website and an allowed website.

I only see green bars in webreporter although the site was blocked from WebGateway:

a.PNG

The above picture shows green bars but they have to be red.

So i made a user definded column like the picture shows:

sdsdsdfsdt.PNG

and a custom rule set like this:

sds.PNG

Status code 403 should replaced with 1  

Status Code 200 replaced with 0.

now i want to use the 0   and  the   1  to distinguish between red and green bars. Of course it doesn't work and i need help.

For testing i made a report :

dfgdfgdfgnt.PNG

The table showd that the user defined rule set doesn't work because there are only "-" instead of 1 or 0.

The next thing the table shows is that mwd-master (webwasher log files) makes at status code 403 a block

but the mwg-squid d(squid-log-file) doesn't.

What can i do?

Best regards

A C

Nachricht geändert durch mistert87 on 08.11.12 06:41:13 CST
0 Kudos
1 Solution

Accepted Solutions
sroering
Level 13

Re: Squid Log and Block Res in WebReporter

Jump to solution

OK.  Well, if those block requests are not showing as block in Web Reporter, there might be a bug.  If you have support, please open a service request with support and we will try to reproduce the problem and escalate it if necessary.

0 Kudos
5 Replies
sroering
Level 13

Re: Squid Log and Block Res in WebReporter

Jump to solution

What is your log parser format for the log source?  Cisco CE SFv4 - Squid Format

You should get blocks if you choose the right format.  If you made a custom log format, then you may have problems getting blocks to work correctly. 

You shouldn't need to use the user-defined columns, but what you have seems 95% correct. The * means "0 or more of previous character", which means you are matching 40, 403, 4033, etc.  But this should still match.  Maybe you don't need to include the ^ at the beginning.  The regex pattern matching should receive just the number (403, 200, etc), so it should be enough to only put the number in your regex without ^ or *.  That's just some advice for later. For now, let's focus on getting the blocked traffic to work correctly without user defined columns.

0 Kudos
mistert87
Level 7

Re: Squid Log and Block Res in WebReporter

Jump to solution

hi,

i use the Squid Native Log Parser Format.

df.PNG

The Squid Log File is built like this:

sdfsdfnt.PNG

OK thank you, if i need the user-defined colums, i will change the regular expression, because i only need 403 and 200, to see what's blocked and whats allowed.

Nachricht geändert durch mistert87 on 08.11.12 08:05:02 CST
0 Kudos
sroering
Level 13

Re: Squid Log and Block Res in WebReporter

Jump to solution

OK.  Well, if those block requests are not showing as block in Web Reporter, there might be a bug.  If you have support, please open a service request with support and we will try to reproduce the problem and escalate it if necessary.

0 Kudos
mistert87
Level 7

Re: Squid Log and Block Res in WebReporter

Jump to solution

OK, than i will try to open a service request for the problem.

Another question:

With the Trusted Websource Database it's possbile to get the category and reputation of a squid log but not the malware name.

Is there also an opporunity to filter out the malware name from a native-squid-log in webreporter?

0 Kudos
sroering
Level 13

Re: Squid Log and Block Res in WebReporter

Jump to solution

Malware detection is done on the content by your proxy.  Web Reporter cannot lookup maleware based on the URL in the log.

0 Kudos