1 2 Previous Next 19 Replies Latest reply on Jun 2, 2011 5:27 PM by jsimon2010

    Web Reporter question regarding "-"

    jont717

      What is the "-" we get in Web Reporter.    We get this under User Names, Categories, Malware.

       

      Why is there a Caregory "-"??

       

      unknown.png

        • 1. Re: Web Reporter question regarding "-"

          "-" means there is no data.

          With regards to categories, it's Uncategorized.

          • 2. Re: Web Reporter question regarding "-"
            jont717

            But when I click the "-" under Categories , I get sites like google, msn, blackberry, and ibm.

             

            I am sure these sites are not Uncategorized.

            • 3. Re: Web Reporter question regarding "-"

              When you put entries in the Global Whitelist rules at the top of the rule sets with a Stop Cycle, the URL does not fall into any rules that check for URL.Categories and then it doesn't assign a category to that URL in the logs.

              One thing you can do is have the logs categorize on input in Web Reporter. It will lookup all the ones that don't have values.

               

              Another thing that might occur is if you are doing proxy authentication. The embryonic 407 entries don't have categories assigned to the yet, but they still have log entries.

              You can exclude the logging of 407 by putting a rule into the log handler that says 'Response.StatusCode does not equal 407'

               

               

              Message was edited by: Erik Elsasser on 1/13/11 1:23:10 PM CST
              • 4. Re: Web Reporter question regarding "-"
                jont717

                This makes sense. Thanks!

                • 5. Re: Web Reporter question regarding "-"

                  Erik,

                   

                  Could you give a little more detail on how to "have the logs categorize on input in Web Reporter"?

                   

                  Thanks!

                  Tammy

                  • 6. Re: Web Reporter question regarding "-"

                    In Web Reporter, go into Administration>Options>Categorizations and enter the Web Reporter Serial Number and download the TrustedSoruce database.

                    Then on the Log Source itself, edit the Log Source>Processing and select the options for Include Categories from TrustedSrouce Web Data base and the Reputation option below it.

                     

                    That should try to categorize anything that has a blank category against the currently download databse in reporter.

                    • 7. Re: Web Reporter question regarding "-"
                      jont717

                      Thanks for the suggestion.  This problem was actually fixed when I upgraded to the new version 5.1.1.01

                       

                      Now I only see the "-" under Malware and Protection Areas.  What does the "-" mean under these areas?

                      • 8. Re: Web Reporter question regarding "-"

                        In essence, those are entries that do not contiain malware. That's probably almost all entries, and throws off the scale of charts.

                         

                        I apply a filter for Malware name

                         

                        To get them to display better on the quick views, I put a filter for non-blank malware names.

                        Capture.JPG

                        For Advanced Reports, I put an exclude in the query:

                        Image1.png

                        • 9. Re: Web Reporter question regarding "-"

                          Hi Erik,

                           

                          I've used the Response.StatusCode does not equal 407 to clean up my access logs and it's working great.  Subsequently, I created another log handler to log auth failures using Response code equals 407.  It is sitting after the Access Log handler.  The access logs were previously littered with 407 status codes.  Now I know the 407 response code is a normal part of the procedure when the WG challenges a client for authorization.  I'm not looking to log those requests... just looking to log true authentication problems.  I'm not getting any logs yet and I'm not sure if its due to haivng zero auth issues currently of if I'm approaching this the wrong way.  Could you advise?

                           

                          Thanks,

                          Steve

                          1 2 Previous Next