3 Replies Latest reply on Jul 17, 2017 10:53 AM by Jon Scholten

    User's AD groups in Access.log

    mgamarra

      Hello.

       

      I have MWG 7.6.2.14.0 (23766) virtual appliance in my lab.

       

      I already have a rule set to authenticate the user's sessions and later filter them based on their active directory group.

       

       

       

       

      The authentication works fine, but I need to have a report based on a specific user groups.

       

      For example, I want to know what kind of web pages (by URL Categorization) the group Marketing consume.

       

      I have ePO v5.3.2 with McAfee Content Security Reporter v2.3.0.147 and I have the MWG reporting in the ePO.

       

      Again, i don't have problems with the integration, because im able to see the events in ePO related to MWG.

       

      I followed WR: How to Add a Log Column in Webgateway and How to Report on it Using Web Reporter  because I think that is the way in wicht I will achieve to have the user's groups in my reports.

       

      Here goes the modifications I did:

       

      I added in the Access log the parameter List.OfString.ToString (Authentication.UserGroups,"")

       

       

      Later, I configure the Access Log Configuration as follows:

       

       

      And finally, configure the CSR in my ePO:

       

       

      But after all the configuration, the ePO did not parse correctly and because of that, im not able to see any events in my ePO.

       

      Here goes a line in the log file in which I can see indeed the AD groups:

       

      [10/Jul/2017:12:10:41 -0400] "mgamarra" 192.168.0.78 200 "GET http://www.ole.com.ar/fuera-de-juego/fotos-BocaFan_OLEIMA20170703_0047_17.jpg HTTP/1.1" "Sports" "Minimal Risk" "image/jpeg" 12114 1360 "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0" "" "0" "" Internet_FullAdmins. del dominioUsuarios del dominioMcAfeeSIEMmesa_de_ayudaPropietarios del creador de directivas de grupoAdministradores de esquemaOrganization ManagementAdministradores de empresas

       

      Can you please give me a hand whit that? My objective is to have a reports whit the AD groups of my users which the consume of web pages.

       

      Regards.

       

      Matias.

        • 1. Re: User's AD groups in Access.log
          johnaldridge

          Being a list, I'd think you'd want to include a delimiter for concatenation.  Here's the way we concatenate categories:

           

          + String.ReplaceIfEquals (List.OfCategory.ToString (URL.Categories<Default>), "", "NULL")

           

          However, I'm loathe to do this for AD security groups, because our lists are loooooooooong.  But, we log AD group changes in our SEIM, so we can correlate groups as needed, and logging the AD groups in access.log is not essential.

           

          I've also considered doing some kind of tagging for key groups.  We have about ten groups that have rules written against them (some blocked, some excepted), and I'm thinking I'd like to tag them so that I can log the tag.  What that means is writing a rule for each of the groups that I want to detect and tag.  It's doable, so it's on my todo list.

          • 2. Re: User's AD groups in Access.log
            Jon Scholten

            A delimiter is needed, as is quotes in the log rule. It might not be a bad idea to filter the groups that are logged as well.

             

            The groups are currently written without quotes, which will cause CSR to fail to parse the log line.

             

            Below is an example of how you can filter the groups, as well as how you can convert the groups to a string with a delimiter.

             

            1 of 1 people found this helpful
            • 3. Re: User's AD groups in Access.log
              Jon Scholten

              I answered the question, but forgot to give other advice...

               

              Content Security Reporter can also do group based reporting now, so writing the user groups to the logs may not be needed.