I am new to McAfee Web Security and was looking for the best way to report all activity for diffrent client Ip subnets.
You definitely don't want to generate email on every request.
You might consider creating a separate log for them under the log handler ... add a new one with a criteria of client.ip matches in list [list of whitelisted ip's]. And then deep in there is some magic to do FileSystemLoggin.WritelogEntry (User-definedloglinesomething or ther) and within there a log configuration can be made to autmatically push that log out to Web Reporter at certain intervals. I strongly recommend getting support's help with this because I can never do it on my own despite having done it twice before with their help.
Or, if you have the web reporter, you could possibly to it on that end based on stock access logs. I'm not sure though as web reporter is ... not the greatest in terms of its query flexibility.
Or, you could deal with raw logs and do an zfgrep -f textfileoftheiripaddresses.txt /path/to/your/archived/logs/accessYYMMDD* > whitelisters_reviewme_somehow.txt
The first one is probably the cleanest.
Getting web reporter to send you a daily summary based on a log file source of those with that privilege is probably the way to go.
Thank You regis for reply,
I was more looking for best way to configure a rule to allow all access to web (not blocking anything) for a few subnets, to generate report of all there activity and what users access.
The report answer was a help
currently i have a ruleset allow URL custom, under rule I have client IP Range:destinationIPRange and criteria client IP in in range list or URL destination IP is in range list Url allow
Client Subnets are added
Events: set client.IP=Client.IP
not sure if i need anything else in rules to record data