You can add the information to the access log on the Policy tab, then under Rule Sets and Log Handler. Select Access Log under the Default log handler. You should see one rule there, which you can edit. On the Edit Rule dialog, select Events, then edit the first event. The event type should stay the same, but the list of concatenated strings on the right side can be modified. The property that contains the displayName can then be added to the log line by clicking Add, then choosing the Parameter property radio button, and finally selecting the property that has the correct data.
I stuffed it all into one screen shot, but here are all the steps numbered:
I would recommend putting the name in quotes, as it is likely to have spaces in it. Click on Add, select Parameter value, and enter the quote. It would also be good to add a space before/after it to separate it from another value.
After the new data is defined in the log line, you should add a name for the field to the log header. Go to Policy --> Settings --> File System Logging --> Access Log Configuration. In the Log header field, add the new field name with the proper spaces/quotes around it. This will enable the WebReporter/Content Security Reporter to properly read the file. Without this, you will just get parsing errors.
There is no property that contains the displayName. What needs to be done is, it needs to be pulled when MWG contacts the LDAP server (AD).
So much like MWG will pull group information (memberOf), we need to store the displayName into the user-defined property based on the given username.
I will write up a ruleset which will allow you to retrieve the displayName and store it.
One question though (that has bearing on how I write it), are you using NTLM auth, or LDAP to start?
What is entailed is similar to what I did on the following thread:
But it depends on how you perform the original authentication (NTLM or LDAP), this will change how the rules look.
Alright I got it to work.
So first I used standard NTLM authentication, so it will store the authentication.username as simple string (instead of the full user DN which LDAP authentication returns).
Then I got the part of AndreSabben's ruleset on how to store LDAP query in a user-defined property (modified it to query for displayName attribute).
And lastly I changed the standard access.log authentication.username to my user-defined property (so i wouldn't have to change headers and pharser on the Reporter).
So overall I query the AD twice:
first over 445/TCP for the NTLM authentication.
second over 3268/TCP for the displayName attribute (or 389/TCP)..
Andy - thanks for your instructions and heads up on the headers quats etc !