5 Replies Latest reply on Nov 8, 2012 10:00 AM by sroering

    Squid Log and Block Res in WebReporter

      Hello,

       

      i'm using a native squid log file for WebReporter. I unlocked the Trusted Source Web Database that i can use Category and Reputation for Squid Logfiles.

      This works really good.

       

      But i want to use the Action function from webreporter too. With the squid log, it's not possible to distinguish between a blocked website and an allowed website.

      I only see green bars in webreporter although the site was blocked from WebGateway:

       

       

      a.PNG

      The above picture shows green bars but they have to be red.

       

      So i made a user definded column like the picture shows:

       

      sdsdsdfsdt.PNG

       

      and a custom rule set like this:

       

      sds.PNG

       

      Status code 403 should replaced with 1  

      Status Code 200 replaced with 0.

       

      now i want to use the 0   and  the   1  to distinguish between red and green bars. Of course it doesn't work and i need help.

       

      For testing i made a report :

       

      dfgdfgdfgnt.PNG

       

      The table showd that the user defined rule set doesn't work because there are only "-" instead of 1 or 0.

       

      The next thing the table shows is that mwd-master (webwasher log files) makes at status code 403 a block

      but the mwg-squid d(squid-log-file) doesn't.

       

      What can i do?

       

      Best regards

       

      A C

       

      Nachricht geändert durch mistert87 on 08.11.12 06:41:13 CST
        • 1. Re: Squid Log and Block Res in WebReporter
          sroering

          What is your log parser format for the log source?  Cisco CE SFv4 - Squid Format

           

          You should get blocks if you choose the right format.  If you made a custom log format, then you may have problems getting blocks to work correctly. 

           

          You shouldn't need to use the user-defined columns, but what you have seems 95% correct. The * means "0 or more of previous character", which means you are matching 40, 403, 4033, etc.  But this should still match.  Maybe you don't need to include the ^ at the beginning.  The regex pattern matching should receive just the number (403, 200, etc), so it should be enough to only put the number in your regex without ^ or *.  That's just some advice for later. For now, let's focus on getting the blocked traffic to work correctly without user defined columns.

          • 2. Re: Squid Log and Block Res in WebReporter

            hi,

             

            i use the Squid Native Log Parser Format.

             

            df.PNG

             

            The Squid Log File is built like this:

             

             

            sdfsdfnt.PNG

             

             

            OK thank you, if i need the user-defined colums, i will change the regular expression, because i only need 403 and 200, to see what's blocked and whats allowed.

             

            Nachricht geändert durch mistert87 on 08.11.12 08:05:02 CST
            • 3. Re: Squid Log and Block Res in WebReporter
              sroering

              OK.  Well, if those block requests are not showing as block in Web Reporter, there might be a bug.  If you have support, please open a service request with support and we will try to reproduce the problem and escalate it if necessary.

              • 4. Re: Squid Log and Block Res in WebReporter

                OK, than i will try to open a service request for the problem.

                 

                Another question:

                 

                With the Trusted Websource Database it's possbile to get the category and reputation of a squid log but not the malware name.

                Is there also an opporunity to filter out the malware name from a native-squid-log in webreporter?

                • 5. Re: Squid Log and Block Res in WebReporter
                  sroering

                  Malware detection is done on the content by your proxy.  Web Reporter cannot lookup maleware based on the URL in the log.