First of all, Web Reporter only has logic to map Web Gateway logs into allow or block. By default all requests are assumed allowed, there are a few conditions (HTTP Status and/or block_res) that will cause requests to show as blocks.
For overrides, there are several requests sent by the user.
1) Initial request, the likely response is HTTP 407 auth redirect
2) Authentication complete and second request. This will be a block which displays the override block page
3) Override is accpeted and request is finally allowed.
Web Reporter filters the 407 so we don't double-log those requests.
The override page should show as a block in your reports
The last request would show as allowed.
Probably the best way to report on overrides is to use a custom block_res on the 3rd leg, log block_res a second time under a new header such as "custom_block_res", then map that column into a user defined column on your log source. You can even use the custom rules in Web Reporter to map the block codes to a human friendly value. The reason for double-logging the block_res is that block_res is a special case on the log parser and isn't available for custom columns. If you just rename your existing block_res, then your blocks won't show correctly. So the solution is to double log.
I hope this makes sense. Perhaps Elsasser or some of the people more familair with block codes can elaborate some good methods to get the right codes logged at the right time.
Here's what I have done.
Basically, in the MWG7 I've inserted a rule between the redirect and verification of if the override has expired. If my thinking is correct everytime it verifies to see if the override time has expired, my new rule will up the counter in the events by 1. Instead of 'BlockedbyURL' I changed the string into 'AllowedByOverride'.
In the Web Reporter can I replace the 'AllowedByOverride' with something so that it can show as the Bypass or Override like in the image from my previous post?
As I said, the log parser for Web Reporter doesn't have the ability to map data into anything other than block for allow. There is nothing you can do to get the traffic to map into any other action. The only option is to use user defined columns in Web Reporter. Since block_res isn't avaiailable to user defined columns, you need to double-log it under a custom header name. If you want to use something other than bock_res values, such as policy names, etc., there is no difference in the Web Reporter configuration.
I submitted a feature modification request with engineering asking to reserve and document block_res codes for each of the actions so that you would have the flexability to have your report actions be anything you want. I cannot promise that it would be implemented, but I'll see how convincing I can be. Seems like a pretty simple change to me.
BTW - Thanks for helping me out, this is definitely a little over my head.
Where or how would I set up the "block_res a second time under a new header such as "custom_block_res", then map that column into a user defined column on your log source" scenario?
Thanks for this, too!
"I submitted a feature modification request with engineering asking to reserve and document block_res codes for each of the actions so that you would have the flexability to have your report actions be anything you want. I cannot promise that it would be implemented, but I'll see how convincing I can be. Seems like a pretty simple change to me."
If they can't or won't, though, maybe they can just remove the Warn, Monitor, Bypass, and Override graphics to keep people like me from getting ideas, lol