Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
589 Views 4 Replies Latest reply: Jan 7, 2013 8:11 AM by sroering RSS
satbir Apprentice 85 posts since
Oct 9, 2011
Currently Being Moderated

Jan 4, 2013 1:51 AM

Extract report of number of MCP users from web reporter.

Hello,

 

There are 6 proxies configured in network out of which one is dedicated only for remote users using MCP. Access logs of all these proxies goes to a central db server. From there it comes to web reporter for analysis. There is a single log source configured on Web Reporter. User group details of MCP users is extracted via LDAP query before group based policy. I want to extract number of users coming on proxy (daily count with user details) dedicated to MCP users.  how can this be achieved? Please advice!

 

Regards,

Satbir


SS
  • sroering McAfee SME 459 posts since
    Feb 10, 2011

    You should separate the logs from each proxy appliance at your central DB server.  Then in Web Reporter, create a log source for each proxy.  Then you can filter your report results based on log source.  That is the best way.

     

    On a side note, you will have scaling issues by running multiple appliances into a single log source.  The problem is due to how the summary data is cached.  If data isn't loaded sequentially, the time it takes to load data into the cache can increase.  There are a few other conditions that need to be met before you would see trouble, but it is still best practice to avoid this scenario.

     

    You are not likely in an immediate danger, so I don't want to make you panic, but perhaps this is something you should consider.

     

     

    If you do not separate log sources, the only other method I can think of is to log some distinct value in the access logs to idenitfy the proxies, such as their host name.  Then on your log source you import that into a user-defined column.  Then you could filter reports based on that user-defined column.  However, there are several negative points with this method.

    1) User-defined columns require a premium reporting license and doesn't come.

    2) User-defined columns are only available for detailed data. If you are not storing it, you would need to start.

    3) Detailed data is approximately 10x larger than summary data so reports run slower

    4) You would be making your access logs a little larger and recording something that really shouldn't be necessary

    5) You cannot use quick-view to report on user-defined columns

    6) To filter reports based on user-defined columns, you need to do it at the query level, which is a little deep in the config, and not so obvious.

     

    Regards

  • eelsasser McAfee SME 843 posts since
    Mar 24, 2010

    You use %h to be substituted for System.HostName

     

    If you are pushing to web reporter, create an an account for each proxy using the host name of the proxy (proxy1, proxy2, proxy3, etc.).

    You will have to use the same password for all of them because that does sync across all the proxies.

    Then on the Access log push setting, use the %h as the username.

     

    Capture2.png

     

    You can also do something similar if you are FTPing to a archive server, just push the logs to a different folder:

    Capture.png

     

    In my case, %h will equal mwg7:

    Capture3.png

     

    Message was edited by: eelsasser on 1/7/13 2:02:28 AM EST

     

    Message was edited by: eelsasser on 1/7/13 2:02:46 AM EST
  • sroering McAfee SME 459 posts since
    Feb 10, 2011

    Or push directly to Web Reporter, then set the post-processing to FTP the logs to the archive server.  Side affect is that the file names will have some added numbers.  The next version of Web Reporter, 5.2.1, will retain the original file names. It's going to be released reall soon.

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points