Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
877 Views 3 Replies Latest reply: Dec 20, 2012 5:23 PM by vnuk RSS
vnuk Newcomer 8 posts since
Nov 5, 2009
Currently Being Moderated

Dec 19, 2012 4:19 PM

What is recommended way to check which user/IP consumes most bandwith?

What is the easisest method to discover who is currently (or in a recent period of 5, 10, 60 minutes) using the most bandwidth or transfers the most data? By creating a filter on the MEF (ver. 8.1.2), using QoS, using some combination of rules, or si it better to deploy (obsolete) FW Reporter or FW Profiler?

  • PhilM Champion 528 posts since
    Jan 7, 2010

    Though I've never seen it, I would have though that FW Reporter might be best option. I think there are also some bandwidth usage reports in Profiler.

  • sliedl McAfee SME 535 posts since
    Nov 3, 2009

    You can use the 'cf reports' command, albeit it's a bit tricky to get it all set up:

     

    If you have turned on the reporting databases you can run a 'report' on the audit files.  You can see if you have any databases to run reports on by running this command:
    $> cf reports show_databases

    If you get an error about 'Can't connect to local MySQL server...' then your reporting isn't on.

     

    You can turn on the reporting database with these commands:
    cf daemond enable agent=auditsql
    cf daemond enable agent=auditdbd
    (in that order)

     

    Now look at 'cf reports show_d' and you'll see one database there named 'auditdb'.

     

    Then you have to wait for the databases to be built.  What this does is watch the audit stream and while audits come in, auditdbd and auditsql write the audit information to an SQL database.  Then you can query it.  You have to wait for the audit database to be built (i.e. it's real-time, so you'll have to wait a few days).  Your older audits are not automatically added into the database.

     

    When you do have an audit database built you can run this command to get a traffic report:
    $> cf reports run_report report_name=traffic

     

    There IS a way to build databases for each audit file that is already on your firewall.  I'll explain it quickly:
    $> ls /var/log/audit.raw*
    - This gets a listing of the current audit.raw and the 'rolled' audit files


    $> /usr/libexec/auditdbd -f /var/log/[audit_file] -d [database_name]
    - This command opens the [audit_file] and puts it into the MySQL database with name [database_name].  You replace [audit_file] with audit.raw.[date-range].gz name (from the 'ls' command, or just audit.raw) and [database_name] with whatever you like.  Then this [date-range] of audits will be available in 'cf reports show_databases' and you can run a report on it.

     

    As as example:
    $> /usr/libexec/auditdbd -f /var/log/audit.raw.20120101020000.20120102020000.gz -d db_1
    The audit file covering Jan. 1, 2012 2:00 a.m. to Jan. 2, 2012 2:00 a.m. is then converted into a MySQL database named db_1 and then you can run a report on it.  You do this for each rolled-audit file in /var/log, giving each a different name at the end of the command (e.g. db_2, db_3, etc.)

     

    If you run 'cf reports show_d' now you'll see auditdb and db_1 as the two databases there and the timeframes they contain.  You can then run a report on the audit events in that rolled-audit file by specifying 'db=db_1' at the end of the 'cf reports run_report' command.

     

    Each rolled-audit covers a specific timeframe and the reports are run on that time frame - you cannot specify a timeframe such as "the last 5 minutes."

     

    You can also add ALL the rolled-audits in /var/log into one database using one command:

    $> ls /var/log/audit.raw.*.gz | xargs -I xxx /usr/libexec/auditdbd -d database_name -f xxx

    However, this will add all the rolled-audit events into ONE database, so it will cover a large timeframe and may not be useful for reporting.

     

    Read the 'man cf_reports' man page for more information on how to use the 'cf reports' command.

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points