3 Replies Latest reply on Apr 20, 2012 11:29 AM by sliedl

    Tracking urls

      Is there a way to track the urls that people are going to? I need to present a report of what people are going to, so managment can decide if they want to block it. It would be nice if it would present the report by the number of times a site is accessed. For example:

      www.espn.com     100 times from ip 192.168.0.2

      www.ebay.com      2    times from ip 192.168.0.3

       

      I have looked a little with security reporter, but have not found what I need.

       

      Thanks in advance

      James

        • 1. Re: Tracking urls
          sliedl

          You can run this command quickly to get some output:

          $> acat -w1 -e "request_command GET" | egrep "srcip|url" | less

           

          That'll give you the srcip and the site they made a GET request to.  If you want the time too add '|Apr' to the egrep switches let's say (so it'll print the first line too).

           

          You can use -c with egrep to get a count.  You can use 'uniq' to see only unique URLs.

           

          As for a report, you might be able to see this with a 'cf reports' command.

          • 2. Re: Tracking urls
            sliedl

            This command will show you destination IPs along with the service name, total kilobytes, and total connections to that IP:

            $> cf reports run_report report_name=traffic

             

            This will only work if you have already turned on the auditsql and auditdbd daemons:

            $> cf server status auditsql

            -- To check

             

            $> cf daemond enable agent=auditsql

            $> cf daemond enable agent=auditdbd

            -- To enable them

             

            You can make your own reports also.  Read the 'man cf_reports' manual page to learn how to use the command.  It's...a very complicated command.

            • 3. Re: Tracking urls
              sliedl

              Ok, here's a report you can run that will show you this for each IP you specify:

               

              $> cf reports run_report report_name=host_activity template_value=10.10.1.1

               

              This will show you all the IPs that 10.10.1.1 went to, with which Service, how many times, and how many bytes transferred both ways.

               

              You'll have to specify each IP you want to look at as the template_value there.