Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
305 Views 4 Replies Latest reply: Sep 30, 2013 8:52 AM by sroering RSS
stuart153 Newcomer 11 posts since
Oct 10, 2011
Currently Being Moderated

Sep 30, 2013 6:08 AM

Query regarding Username resolution in Web Reporter - showing resolved usernames and also anonymous (-\-)

I am running a report on Web Reporter 5.2.1 to see what users have accessed a particular website on a particular day.  The report output returns a mixture of resolved usernames and also anonymous users, which displays the username (-\-).

 

I personally have a fixed IP address, which appears in the report as both a resolved username and also anonymous as (-\-).  I can't understand why the usernames are showing as a mixture of resolved and anonymous usernames. 


I have found a KB that is similar to the issue we have,
https://kc.mcafee.com/corporate/index?page=content&id=KB68915

 

But having read through the article and running the 'Synchronise users' job, the report is still displaying a mixture of resolved usernames and anonymous users.

 

Has anyone seen this before?


At present, I am unable to provide any meaningful data to our management team and am unable to explain why some usernames are showing as anonymous.

 

Thanks

  • sroering McAfee SME 458 posts since
    Feb 10, 2011

    the synchronize users button has a different function. It will try to move uses from the anonymous directory to any configured directory.  But if there is no user name, then they would not be moved.

     

    If Web Reporter doesn't have a user name then here are some possibilities.

    1)  User name was not logged (or users possibly not authenticated)  check the access log for user names

    2)  Assuming that the user name is in the log, then the "username" header isn't properly alighned over the right column.  I doubt this is the case unless every value in that column is a "-" because otherwise your usernames would be anything in that column.

  • eelsasser McAfee SME 842 posts since
    Mar 24, 2010

    Try running the same report with the Status Code not equal to 407.

    You might be logging and importing the authentication conversation that occurs during the authenticaton process itself.

    Or look at the logs themselves and see if there are numerous 407 entries in the logs themselves.

  • sroering McAfee SME 458 posts since
    Feb 10, 2011

    HTTP status code 407 (proxy auth) are not imported by Web Reporter because it would cause "double" reporting, and therefore you cannot run a report against 407 requests.  But Eelsasser is correct that the reason for double requests (one with username and one without) is that the first request hasn't been authenticated, so they are redirected for auth. After authentication, they will make the same request with credentials and you will see the user name.  But for this very reason, the 407 is dropped by Web Reporter.

     

    My original post is still withstanding.  If user names are in your logs, then the header doesn't match.

    Take you access log and filter it to remove 407's like this.

     

    grep -v " 407 " accessyyyymmddhhMMss.log > filtered_access.log

     

    Then look at the filtered results for any remaining requests that are not authenticated.

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points