4 Replies Latest reply: Sep 30, 2013 8:52 AM by sroering RSS

    Query regarding Username resolution in Web Reporter - showing resolved usernames and also anonymous (-\-)

    stuart153

      I am running a report on Web Reporter 5.2.1 to see what users have accessed a particular website on a particular day.  The report output returns a mixture of resolved usernames and also anonymous users, which displays the username (-\-).

       

      I personally have a fixed IP address, which appears in the report as both a resolved username and also anonymous as (-\-).  I can't understand why the usernames are showing as a mixture of resolved and anonymous usernames. 


      I have found a KB that is similar to the issue we have,
      https://kc.mcafee.com/corporate/index?page=content&id=KB68915

       

      But having read through the article and running the 'Synchronise users' job, the report is still displaying a mixture of resolved usernames and anonymous users.

       

      Has anyone seen this before?


      At present, I am unable to provide any meaningful data to our management team and am unable to explain why some usernames are showing as anonymous.

       

      Thanks

        • 1. Re: Query regarding Username resolution in Web Reporter - showing resolved usernames and also anonymous (-\-)
          sroering

          the synchronize users button has a different function. It will try to move uses from the anonymous directory to any configured directory.  But if there is no user name, then they would not be moved.

           

          If Web Reporter doesn't have a user name then here are some possibilities.

          1)  User name was not logged (or users possibly not authenticated)  check the access log for user names

          2)  Assuming that the user name is in the log, then the "username" header isn't properly alighned over the right column.  I doubt this is the case unless every value in that column is a "-" because otherwise your usernames would be anything in that column.

          • 2. Re: Query regarding Username resolution in Web Reporter - showing resolved usernames and also anonymous (-\-)
            stuart153

            It's really odd.  I've logged a call with Support, but was just wondering whether anybody else had seen this in their environment.

             

            I've had a reply from support explaining the scenarios when a report would show the username as being a dash ' - ',

            This mainly happens when:

            - user authenticated by IP

            - user authentificated by destination site

            - global white list

            - bypass rule

             

            These scenarios make sense, however, none of the above seem relevant to me.  The report I have run is searching for all users who have accessed a particular URL on a particular date.  We do not have any bypass authentication rules configured for the destination URL/IP address, nor is it in a Global Whitelist rule.

             

            As I mentioned in the original post, I am using a static IP address and can see entries for my IP address in the report, some of the entries have resolved my username and some of the entries are showing me as an anonymous username.

             

            That's what's confusing me.... I don't see how it is able to resolve my username on some occasions and then show me as anonymous on other occasions. (All referencing the same URL)

            • 3. Re: Query regarding Username resolution in Web Reporter - showing resolved usernames and also anonymous (-\-)
              eelsasser

              Try running the same report with the Status Code not equal to 407.

              You might be logging and importing the authentication conversation that occurs during the authenticaton process itself.

              Or look at the logs themselves and see if there are numerous 407 entries in the logs themselves.

              • 4. Re: Query regarding Username resolution in Web Reporter - showing resolved usernames and also anonymous (-\-)
                sroering

                HTTP status code 407 (proxy auth) are not imported by Web Reporter because it would cause "double" reporting, and therefore you cannot run a report against 407 requests.  But Eelsasser is correct that the reason for double requests (one with username and one without) is that the first request hasn't been authenticated, so they are redirected for auth. After authentication, they will make the same request with credentials and you will see the user name.  But for this very reason, the 407 is dropped by Web Reporter.

                 

                My original post is still withstanding.  If user names are in your logs, then the header doesn't match.

                Take you access log and filter it to remove 407's like this.

                 

                grep -v " 407 " accessyyyymmddhhMMss.log > filtered_access.log

                 

                Then look at the filtered results for any remaining requests that are not authenticated.