8 Replies Latest reply on Oct 16, 2012 4:06 PM by sroering

    Mc Afee Webreporter

      Hello,

       

      i have a big problem and i don't know how to solve it. I use webgateway and webwasher. Webgateway pushes the user-defiend-acess logs files  to the webreporter.

      But now comes ne problem: The webreporter only process the first line of the log file for instance:

       

      [09/Oct/2012:09:37:54 +0200] 10.253.192.192 "Public Information, Online Shopping" TCP_MISS 200 "http://www.idealo.de/filestore/4442983_RieterRente_100.jpg?path=/e3/11/178bb0bf- ac9b-4b3d-93cd-4680a4b2040c-web.jpg&key=12B5D27CB4ADAB212A4EE1118900EC642545A68A .png" 9310 "Minimal Risk" ""

      [09/Oct/2012:09:37:54 +0200] 10.253.192.192 "Public Information, Online Shopping" TCP_MISS 200 "http://www.tchibo.de/filestore/Thumbnail.jpg?path=/83/45/4d047c1e-643c-4a6e-91ca -1c4b51921f33-Bild.jpg&key=A4C4E3AA781F16FDF8E18D34C4BAF631BA96F467" 21220 "Minimal Risk" ""

      [09/Oct/2012:09:37:54 +0200] 10.253.192.192 "Public Information, Online Shopping" TCP_MISS 200 "http://www.test.de/img/dev/StiWa_Play_46x46px;v63482340254.png" 2595 "Minimal Risk" ""

      [09/Oct/2012:09:37:54 +0200] 10.253.192.192 "Public Information, Online Shopping" TCP_MISS 200 "http://www.tchibo.de/filestore/Thumbnail.jpg?path=/83/45/4d047c1e-643c-4a6e-91ca -1c4b51921f33-Bild.jpg&key=A4C4E3AA781F16FDF8E18D34C4BAF631BA96F467.png" 21220 "Minimal Risk" ""

      [09/Oct/2012:09:37:54 +0200] 10.253.192.192 "Public Information, Online Shopping" TCP_MISS 200 "http://www.idealo.de/filestore/4442983_RieterRente_100.jpg?path=/e3/11/178bb0bf- ac9b-4b3d-93cd-4680a4b2040c-web.jpg&key=12B5D27CB4ADAB212A4EE1118900EC642545A68A .png" 9310 "Minimal Risk" ""

      [09/Oct/2012:09:37:54 +0200] 10.253.192.192 "Public Information, Online Shopping" TCP_MISS 200 "http://www.gold.de/filestore/YummyMami_100.jpg?path=/65/a5/60a38e33-47d6-48ac-9f 5b-7c5fe69bf175-produkt.jpg&key=B9E9057930F0A8BAD450CE352DAF5D942DD098F2.png" 4252 "Minimal Risk" ""

       

       

      Webreporter works only withe the first logline. In this example he would only read idealo.de.

      What can i do?

       

      Here are a few Screenshots of my Settings:

       

      Webgateway

       

      http://www.bilderupload.de/bild.php/103713,aX7PNP.png

       

      Webreporter:

       

      http://www.bilderupload.de/bild.php/103714,bDLVCO.png

       

      Can someone help me?

       

      Best Regards

       

      Mistert87 

        • 1. Re: Mc Afee Webreporter
          Hayton

          This question has been moved to Web Gateway (in Email & Web Security) for attention.

          • 2. Re: Mc Afee Webreporter
            asabban

            Hello,

             

            I believe this is a feature. Web Reporter uses "Page Views" or "Condensed Reports" to merge requests which follow each other into a "page view". The idea is to not show each individual request, but only the view of the website, excluding the embedded objects. For example if you go to bild.de you will probably get a hundret objects loaded from several places. Now Web Reporter shows the user has seen a hundret of objects, while simply spoken he only visited bild.de.

             

            Therefore the Page Views or Condensed Reports try to merge request which belog together, following specific rules. In the example above a user has visited idealo.com. The following requests are merged into this, because Web Reporter assumes the following objects belong to the first call. Usually you would have something more explicit like "www.idealo.com" as the first request and all other objects merged into it, but if the logfile starts with the link you have mentioned Web Reporter most likely has no reference to previously called URLs.

             

            I would recommend to check if this is enabled. I believe you configure this behaviour in the log source.

             

            This may be what you are looking for.

             

            Best,

            Andre

            • 3. Re: Mc Afee Webreporter
              sroering

              What is the reason for using a custom log format?  Since you are using Web Gateway, you should use the web gateway auto-discover format.  The custom log format is designed for generic web proxies that we do not already have a log format for in the list.

               

              With the custom log parser, you will not be able to see bocked requests and everything will appear as allowed. 

               

               

              Regarding the issue with only seeing the first line, Andre is probably correct, that it is due to log source having page-views enabled.  If you edit the log source and go to the processing tab, there is a check box to enable page views (enabled by default).

              • 4. Re: Mc Afee Webreporter

                OK, thanks for your response. Ok i shoulf first change my webwasher logfile into this:

                 

                DateTime.ToWebReporterString

                " ""

                Authentication.UserName

                "" "

                String.ReplaceIfEquals (IP.ToString (Client.IP), "", "-")

                " "

                String.ReplaceIfEquals (Number.ToString (Response.StatusCode), "", "-")

                " ""

                Request.Header.FirstLine

                "" "

                """

                List.OfCategory.ToString (URL.Categories)

                "" ""

                URL.ReputationString

                "" ""

                MediaType.ToString (MediaType.FromHeader)

                "" "

                String.ReplaceIfEquals (Number.ToString (Body.Size), "", "-")

                " ""

                Header.Get ("User-Agent")

                "" ""

                List.OfString.ToString (Antimalware.VirusNames)

                "" ""

                Number.ToString (Block.ID)

                 

                And after this, i should edit the checkbox to enable page viewes?

                 

                regards

                 

                AC

                • 5. Re: Mc Afee Webreporter

                  If only these thigs working with webreproter it isn't good for me. I need for instance "Bytes to Client". "Bytes to Client" is not in this list, so i can not use this log data?

                   

                  regards

                  • 6. Re: Mc Afee Webreporter
                    sroering

                    I mean custom log format in Web Reporter. You can customize the access log in Web Gateway to have any information you like, but in Web Reporter you should always use the Web Gateway Auto Discover format for the log source.

                     

                     

                    A C wrote:

                     

                    If only these thigs working with webreproter it isn't good for me. I need for instance "Bytes to Client". "Bytes to Client" is not in this list, so i can not use this log data?

                     

                    regards

                    • 7. Re: Mc Afee Webreporter
                      Cberry

                      How do you use the "Log Source" option in the Custom "quick view" section of Web Reporter Premium with Web Gateway 7 log pushing?

                      • 8. Re: Mc Afee Webreporter
                        sroering

                        Cberry,

                         

                        I'm not exactly sure of your question, but it doesn't seem to be related to this thread.  Perhaps you are better to start a new thread with an appropriate subject.  Are you asking what "log source" means under Quick View > Custom, in Web Reporter?  That is for adding log source filters to your reports.   You can use that to restrict your report results to data from one or more Log Source (Web Gateway).  An exampl might be if you have more than one log source, but are trying to verify your policy is working correctly on just one of the Web Gateways.