I have two completely separate issues I'm hoping someone can help me with...
The first is with the Access Denied log. This log is automatically generated by default and retrieved by Web Reporter, but it then fails to parse the log file correctly so nothing is ever done with it. It's like this out of the box. Is there any way to get some use out of this log? I notice it has the rule name that caused the block, which would be nice for multiple reasons.
I've also noticed that the message displayed when a user's AD account is locked out or their password is expired is simply "Wrong Password." I was hoping there was a way to customize this to be more descriptive. It's okay for our Help Desk because we know how to troubleshoot it, but from an end user perspective it's misleading. I'd love to have a different one for locked out and expired password, but I'd settle even for just being able to change the wording of "Wrong Password."
Thanks in advance for any help you can provide!
As for #1, the access_denied log should not be imported into web reporter or content security reporter. If it is, then you are doing it wrong.
Only the access logs should be pushed to the reporters in the individual File System setting for Access log specifically.
You are probably using the global log management pushing, which should not be used with reporter.
The Authentication Required block page that is presented to the user when the authentication fails can be changed.
It is located in the Authenticate Actions section and can be editted within the built-in editor:
Thanks for the response! In regards to the access logs, we haven't changed anything in the settings in regards to those logs. These logs are configured to be pushed to the Web Reporter by default out of the box. We've setup the system twice with professional services and each time these logs are going to the reporter but are not being imported. They are failing processing:
Like I said, that's out of the box configuration. We would like to do something with this log and the found viruses log...What you're suggesting though is that this has to be done with an external logging system instead of the Reporter? Do you have any recommendations or products that other customers have used in the past?
In regards to the authentication failed block page...I understand how to edit block pages, but evidently not entirely. The picture you posted is exactly what I still see on our failed login message template. However, users that are locked out or have an expired password in Active Directory receive a message "Wrong Password" rather than "Authentication Required" as shown in that message. What I want is to be able to customize the message users receive for these two specific instances. Even if I just have to edit "Wrong Password" in a file somewhere so it gives a more descriptive message that's fine...I just don't see anything out there that shows where I can replace "Wrong Password" with something else. I've already customized a great deal of our block pages, but evidently just not to such an advanced level.
Well, Out of the Box by default, there is no log pushing to reporter at all, you have to manually set that up.
If you are getting all those other files erroneously pushed, like it appears you are, you should change it to only push via the Access log as i described. none of the other logs are used in web reporter at all.
I don't know what Wrong Password screen you mean at this point. The only one that I'm aware of is the Authentication Required screen.
What does it look like?
Chances are it's not an actual MWG message, but a browser message that you are seeing. Show a screenshot if you can.
True enough. The gateway has been initially installed as PoC and then setup by professional services. Anyway...there's nothing that can be done with that log file? Let me rephrase the question...why is that generated out of the box then and what do most people do with them? It's okay if you don't have a specific answer to that. Perhaps a customer will be able to share an example of what they've done with these other logs on their systems. Like I said, I'm interested in that and the FoundViruses log.
So, let's look at the authentication error issue. More research has tied it back to the Authentication.FailureReason.Message property. It is not a browser message and is definitely a MWG message. Here's a screen shot:
The foundvirus log is meant for manual inspection for you the admin.
The found virus log is a subset of the access log, the access log logs everything. So importing the foundviruslog to Web Reporter would be redudant.
As far as the message at hand, I would guess you have "Try Auth" in place, and you have a ruleset to block "Non Authenticated Users" with a rule called "Deny All".
The Authentication.FailureReason message is somewhat generic, for NTLM it can mean a couple things, like, the user is locked out, they actually have a bad password (very possible with try-auth), they are locked out, or they are logging in from a workstation they shouldnt be logged in from (check "Log on to" settings and make sure MWG is there).
Thanks for the reply. My question I guess with Authentication.FailureReason.Message is whether I can customize it or not. It seems to be based on Authentication.FailureReason.ID. I'm just wondering if there's a way to customize this:
Otherwise, I will just edit the template and call it a day. This was simply a requested change from my company because the help desk gets multiple calls a day for the first two items in that list and it'd be easier for them if we could eliminate the expired password calls by telling the user what to do in the text. BlueCoat's ProxySG was capable of doing this, which makes me think that there's probably a way to do it with MWG as well.
eelsasser: The rule set was customized and I added the rule set name in the footer of all block pages, which is why you're seeing the source of that page was due to the Not Authenticated Users / Deny All block rule.
At the moment I would say no because there is nothing to allow you to differentiate one "Wrong password" failure from another.
Wrong password is returned for all of the reasons you listed above.
Actual Problem = Authentication.FailureReason
Wrong password = Wrong password
Locked out = Wrong password
Password expired = Wrong password
Not allowed computer = Wrong password
Perhaps product managament has other thoughts on this possibility.
The access denied and found viruses logs are there mostly for debuggin purposes. It's easier to debug a page that is blocked with the access_denied log than to look at all the traffic in the access.log. They just aren't used for reporting.
The Wrong password page is clealy something that has been customized and is not a standard default.
The page is being triggered on the Not Authenticated Users / Deny All block rule.
The "wrong Password' message itself is a property that has been inserted on that page.
Either way you can edit that page to show whatever you want.