cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
LucasAlmeida
Level 8
Report Inappropriate Content
Message 1 of 4
‎10-21-2022 07:41 AM

Logging - Specific User Web Usage

Jump to solution

Hello,

 

We'd like to verify if someone already has implemented, or if there's any way we can track Web Usage (which websites were visited) by a specific user over a period of time (not just onwards, but looking back at a specific time range).

 

We already have CSR implemented but we're not being able to generate this data with the built-in queries and reports (or maybe we're just not knowing the right way to).

 

Is this possible to implement on WebGateway alone? Or can this be done within CSR?

We thank you in advance for your attention to this question.

#WebGateway #ContentSecurityReporter

0 Kudos
Reply
1 Solution

Accepted Solutions
fw_mon
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 4 of 4
‎10-21-2022 08:36 AM

Re: Logging - Specific User Web Usage

Jump to solution

@LucasAlmeida 

for this use case CSR should be enough. Double check why the user filter doesn't work - does a username appear in the result table if you run a query without filtering? Does a username has a domain as a prefix and you just need to use another format? There is also an option to run a raw SQL query on the CSR SQL DB to troubleshoot it.

May be somebody else has other ideas....

Was my response useful to you? If so, please consider marking it as an Accepted Solution and giving it a Kudo to help other community members.
MWG+Splunk=❤

View solution in original post

0 Kudos
Reply
3 Replies
fw_mon
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 2 of 4
‎10-21-2022 08:05 AM

Re: Logging - Specific User Web Usage

Jump to solution

Hello @LucasAlmeida 

I understand your frustration, the CSR is primary a reporting tool, not very suitable for tracking. The good news it should be possible to get a list of visited websites with CSR alone if you configure a query filter and set it to a specific IP source address or a user name. As output I would suggest a "web detailed" query:

Detailed Web Access — Represents web traffic details such as full request URLs and exact date and time of each request

Other options are:

  • just use grep to filter raw logs and apply some bash/perl/python magic to filter or present data
  • use some 3d party software (I'll not post any names here)

Tell us what output you need, should it be a table, a timechart, a graph or just a table (which fields need te be included in it) or a list of URLs?

 

Was my response useful to you? If so, please consider marking it as an Accepted Solution and giving it a Kudo to help other community members.
MWG+Splunk=❤
0 Kudos
Reply
LucasAlmeida
Level 8
Report Inappropriate Content
Message 3 of 4
‎10-21-2022 08:23 AM

Re: Logging - Specific User Web Usage

Jump to solution

Hello @fw_mon !

First, thank you very much for your reply!

Indeed, we've been observing that both WG and CSR are best suited to monitor activities in real time, but not that well equipped to look back on data.

That said, since we have two clusters of 4 appliances in HA mode, dinamically allocating user connections through a DNS alias and some other network infrastructure, it would be very difficult to track activity on raw logs as there's no sure way to know in which appliance the specific user activity would be recorded, and maybe it could be in some or all of them 😅.

I think CSR would be the best suited for this scenario, but the thing is that we're getting blank results on our queries (and, indeed, I was using the Detailed Web Activity as a template, with username as filtering criteria).

We're still trying out combinations of filtering criteria to see if we're able to get some data out of CSR, but we're looking for basic stuff, a simple table showing the web address and the date and time of access, nothing too fancy, maybe the Category for better visualization too if we're lucky.

0 Kudos
Reply
fw_mon
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 4 of 4
‎10-21-2022 08:36 AM

Re: Logging - Specific User Web Usage

Jump to solution

@LucasAlmeida 

for this use case CSR should be enough. Double check why the user filter doesn't work - does a username appear in the result table if you run a query without filtering? Does a username has a domain as a prefix and you just need to use another format? There is also an option to run a raw SQL query on the CSR SQL DB to troubleshoot it.

May be somebody else has other ideas....

Was my response useful to you? If so, please consider marking it as an Accepted Solution and giving it a Kudo to help other community members.
MWG+Splunk=❤
0 Kudos
Reply
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use our Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from product experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by employees.
Join the Community
Join the Community

TrellixSkyhigh Security | Support Trellix.com SkyhighSecurity.com

Legal Privacy Copyright © 2023 Musarubra US LLC