5 Replies Latest reply on Nov 8, 2012 10:00 AM by sroering

    Squid Log and Block Res in WebReporter



      i'm using a native squid log file for WebReporter. I unlocked the Trusted Source Web Database that i can use Category and Reputation for Squid Logfiles.

      This works really good.


      But i want to use the Action function from webreporter too. With the squid log, it's not possible to distinguish between a blocked website and an allowed website.

      I only see green bars in webreporter although the site was blocked from WebGateway:




      The above picture shows green bars but they have to be red.


      So i made a user definded column like the picture shows:




      and a custom rule set like this:




      Status code 403 should replaced with 1  

      Status Code 200 replaced with 0.


      now i want to use the 0   and  the   1  to distinguish between red and green bars. Of course it doesn't work and i need help.


      For testing i made a report :




      The table showd that the user defined rule set doesn't work because there are only "-" instead of 1 or 0.


      The next thing the table shows is that mwd-master (webwasher log files) makes at status code 403 a block

      but the mwg-squid d(squid-log-file) doesn't.


      What can i do?


      Best regards


      A C


      Nachricht geändert durch mistert87 on 08.11.12 06:41:13 CST
        • 1. Re: Squid Log and Block Res in WebReporter

          What is your log parser format for the log source?  Cisco CE SFv4 - Squid Format


          You should get blocks if you choose the right format.  If you made a custom log format, then you may have problems getting blocks to work correctly. 


          You shouldn't need to use the user-defined columns, but what you have seems 95% correct. The * means "0 or more of previous character", which means you are matching 40, 403, 4033, etc.  But this should still match.  Maybe you don't need to include the ^ at the beginning.  The regex pattern matching should receive just the number (403, 200, etc), so it should be enough to only put the number in your regex without ^ or *.  That's just some advice for later. For now, let's focus on getting the blocked traffic to work correctly without user defined columns.

          • 2. Re: Squid Log and Block Res in WebReporter



            i use the Squid Native Log Parser Format.




            The Squid Log File is built like this:






            OK thank you, if i need the user-defined colums, i will change the regular expression, because i only need 403 and 200, to see what's blocked and whats allowed.


            Nachricht geändert durch mistert87 on 08.11.12 08:05:02 CST
            • 3. Re: Squid Log and Block Res in WebReporter

              OK.  Well, if those block requests are not showing as block in Web Reporter, there might be a bug.  If you have support, please open a service request with support and we will try to reproduce the problem and escalate it if necessary.

              • 4. Re: Squid Log and Block Res in WebReporter

                OK, than i will try to open a service request for the problem.


                Another question:


                With the Trusted Websource Database it's possbile to get the category and reputation of a squid log but not the malware name.

                Is there also an opporunity to filter out the malware name from a native-squid-log in webreporter?

                • 5. Re: Squid Log and Block Res in WebReporter

                  Malware detection is done on the content by your proxy.  Web Reporter cannot lookup maleware based on the URL in the log.