5 Replies Latest reply on May 12, 2017 12:40 PM by noobmode

    How to add a new filter group on CSR - add a new column on the access.log file to get AD groups

    ser_caretower

      Morning guys, ( please see attached for a full description with pictures)

       

      I need to include a customized data stream into the content security reporter. Basically is to add AD Groups that a user belongs to ( when testing the credentials agains NTLM on the test box, when you type username and password it tells you the AD groups that that user belongs to. We need to gather that information and parse into the CSR )


      I have tried to understand how the log is written from a event point of viewbut it doesn’t make too sense to be honest.

       

      The extra field that doesn’t come by default is AD Groupsthat a user belongs to. In other words we would like to see in a report thegroup IT Admin activity or Sales activity or Marketing activity.

       

      I have tried to edit the log writing of the access log byadding a new entry ( Authentication.Raw.Username) that should grab the ADgroups that a user belongs to.

       

      Then I have modified the header of the access log configurationadding a new one  “Groups”

       

      time_stamp "auth_user" src_ip status_code"req_line" "categories" "rep_level""media_type" bytes_to_client bytes_from_client "user_agent""virus_name" "block_res" "application_name""Groups"

       

      Then on EPO / CSR a new rule set (Groups) has been createdand used “protection area” as field  togather that information. 

       

      Bad news is that anything has been logged under this newGroup and also on the filters of the CSR we don’t have the ability fo filterbased on Groups.

       

      Can any one help here?

       

      Regards.

       

       

      For more info and images please see attached.

        • 1. Re: How to add a new filter group on CSR - add a new column on the access.log file to get AD groups
          sroering

          Sorry, but you cannot report on groups because CSR doesn't support directory or groups yet.  If you put groups in the log, you could put them into custom colums, but the groups are not separated. They would be stored as one big string.  Also, the group list is likely to exceed the character limit on the field and get truncated.

          • 2. Re: How to add a new filter group on CSR - add a new column on the access.log file to get AD groups
            ser_caretower

            Thank you Sroering for your reply;

             

            Thats fine, we will try to find an alternative.

            Also, could you specify the correct procedure to add a custom column with customer information on it ( lets say first name, last name, or any other AD information ). The one I have described above doesnt really bring the expected filtering value on the CSR dashboards and reports.

             

            Thanks in advance

            • 3. Re: How to add a new filter group on CSR - add a new column on the access.log file to get AD groups
              ser_caretower

              Shoering, I was wondering: based on AD proxy authentication, a rule can be defined to detect if a user belongs to certain AD group ( lets say Marking ). If that is positive then we could add Marketing.+1 on the counter statics ( by adding that vale into the customized extra column ). Based on a numeration scheme 1=marketing, 2=sales, 3=production... we can add that number to the column so the reports will show 1 or 2 or 3. Adding a filtering section on the report side of ePO based on the same numeration we can filter and have the adequated reports for the number of the deparments we want to track.

               

              What do you think about that? Feasible?

               

              Thank you

              • 4. Re: How to add a new filter group on CSR - add a new column on the access.log file to get AD groups
                sroering

                You can log extra columns in the access log under any custom header. I would caution you to use unique names that will not be confused for default values.  I would even go so far as appending a prefix to future proof the policy.  For example "my_groups" or "my_firstname". You could fall victim to an unintended side affect if "groups" were to become a default column int he future.

                 

                Also, be sure your log columns and the header are encapsulated in quotes, and delimited with a space.  Your header above is missing the space to dilimit the "group" column.

                 

                On your log source, you can save values for up to 4 user-defined columns.  Yes, you could map group membership to "marketing" or "sales", etc.  That would work nicely.  If you wanted to log them as numbers, then you need to create a custom rule set (under the log sources section of the report server settings) to map 1 = marketing, 2=sales, etc.  Then when you edit the log source, on the user-defined colum tab, you need to apply the appropriate custom rule set.

                 

                Here is the ruleset editor.

                rule_set.png

                 

                Here is what you need to do on the log source.

                 

                log_source.png

                 

                Then to get these values on the dashboard, you need to create a query which includes the appropriate user-defined column (detailed data set).

                 

                query_build_01.png

                 

                And you filter the results per group on each query.

                 

                query_build_02.png

                1 of 1 people found this helpful
                • 5. Re: How to add a new filter group on CSR - add a new column on the access.log file to get AD groups
                  noobmode

                  This has been updated to be a feature in CSR 2.2 and 2.3. We just got this working in our environment.