Product guide

ManualsBrandsMcafee ManualsOtherQUICKCLEAN 1.0

Product Guide

evision A

McAfee Content Security Reporter 1.0.0

Software

For use with ePolicy Orchestrator 4.6.2 Software

Summary of content (74 pages)

PAGE 1
Product Guide Revision A McAfee Content Security Reporter 1.0.0 Software For use with ePolicy Orchestrator 4.6.
PAGE 3
Contents Preface About this guide . . . . . . . . . . . . Audience . . . . . . . . . . . . Conventions . . . . . . . . . . . Find product documentation . . . . . . . . 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Introduction 5 5 5 6 7 McAfee Content Security Reporter elements . . . . . . . . . . . . . . . . . . . . . . .
PAGE 4
Contents 5 Log sources and log formats 33 Log sources overview . . . . . . . . . . . . . . . . . . . . . . . Log source modes . . . . . . . . . . . . . . . . . . . . . Log formats . . . . . . . . . . . . . . . . . . . . . . . . Custom columns, rule sets, and user-defined columns overview . . . Log Sources page . . . . . . . . . . . . . . . . . . . . . . . . New Log Source page . . . . . . . . . . . . . . . . . . . . Current Jobs page . . . . . . . . . . . . . . . . . . . . . Statistics page . . . . . .
PAGE 5
Preface Contents About this guide Find product documentation About this guide This information describes the guide's target audience, the typographical conventions and icons used in this guide, and how the guide is organized. Audience McAfee documentation is carefully researched and written for the target audience. The information in this guide is intended primarily for: • Administrators — People who implement and enforce the company's security program.
PAGE 6
Preface Find product documentation Find product documentation McAfee provides the information you need during each phase of product implementation, from installation to daily use and troubleshooting. After a product is released, information about the product is entered into the McAfee online KnowledgeBase. Task 1 Go to the McAfee Technical Support ServicePortal at http://mysupport.mcafee.com. 2 Under Self Service, access the type of information you need: To access... Do this...
PAGE 7
1 Introduction McAfee® Content Security Reporter (Content Security Reporter) is a powerful reporting tool that allows you to create queries and reports that show you how people in your organization are using the Internet and a host of other useful system and usage data. Content Security Reporter works with McAfee® ePolicy Orchestrator® software to provide the reporting tools to identify issues in your organization such as liability exposure, productivity loss, bandwidth overload, and security threats.
PAGE 8
1 Introduction McAfee Content Security Reporter features • MySQL v5.0 • Microsoft SQL Server 2005 • Microsoft SQL Server 2008 • Log sources — Log sources are devices on the network set up to generate (web filtering device) or store (FTP server) log files. Log files contain web filtering data that includes information such as user names, IP addresses, URLs, time stamps, protocols, and so on.
PAGE 9
Introduction McAfee Content Security Reporter features 1 Table 1-1 Features (continued) Feature Description Rule sets Configure custom rule sets to tell Content Security Reporter to look for a specific string of data during log file processing and replace it with a different string. The resulting string appears in reports and is more recognizable to users. Internal database or external databases Use the internal database or a supported external database, depending on your organization and data needs.
PAGE 10
1 Introduction McAfee Content Security Reporter features 10 McAfee Content Security Reporter 1.0.
PAGE 11
2 Install Content Security Reporter Contents System requirements Install Content Security Reporter What changes in ePolicy Orchestrator Configure the interface Uninstall McAfee Content Security Reporter System requirements To install and operate McAfee Content Security Reporter, the system must meet these minimum requirements consistent with the requirements to run ePolicy Orchestrator 4.6.2.
PAGE 12
2 Install Content Security Reporter Install Content Security Reporter Install Content Security Reporter • Download the Content Security Reporter software from the McAfee download site. • Install the Content Security Reporter report server software files. • Add the Content Security Reporter extension file with the online Help extension file to ePolicy Orchestrator. • Register the Content Security Reporter report server in ePolicy Orchestrator.
PAGE 13
Install Content Security Reporter Install Content Security Reporter 2 Install the extensions Install the Content Security Reporter extension files in to ePolicy Orchestrator to be able to configure the report server. Task 1 In ePolicy Orchestrator, select Menu | Software | Extensions. 2 Click Install Extension. 3 Browse to the Content Security Reporter extension file that you downloaded earlier, and click OK.
PAGE 14
2 Install Content Security Reporter What changes in ePolicy Orchestrator What changes in ePolicy Orchestrator Installing the McAfee Content Security Reporter report server software and Content Security Reporter Reporting extension makes some changes in ePolicy Orchestrator. Table 2-3 Changes to ePolicy Orchestrator Item Location Reporting extension Select Menu | Software | Extensions to manage the Content Security Reporter Reporting and Help Content extensions.
PAGE 15
2 Install Content Security Reporter Configure the interface • System Backup — Create backup configuration files for the Report Server settings, and restore them to the server in case of system failure. • Support — Generate a feedback file to send to McAfee technical support. When the Content Security Reporter extension is removed from ePolicy Orchestrator, the Report Server Settings menu is no longer available.
PAGE 16
2 Install Content Security Reporter Uninstall McAfee Content Security Reporter 4 • Log Sources | Custom Columns • Performance Options | Summary Cache • Log Sources | Custom Rule Sets • System Backup Select active options that you use frequently from the Actions menus and drag them on to the ePolicy Orchestrator toolbar. Some options only become active when, for example, a log source is created. The next time you open that page, the option will be easily available for you on the toolbar.
PAGE 17
Install Content Security Reporter Uninstall McAfee Content Security Reporter 4 2 Click OK. The Report Server Settings menu item is removed from the menu bar. 5 Select the Content Security Reporter Help Content extension, and click Remove. 6 Click OK. Remove the report server software Uninstall the Content Security Reporter report server software. Before you begin • To remove Content Security Reporter, you must have administrator access rights. Task For option definitions, click ? in the interface.
PAGE 18
2 Install Content Security Reporter Uninstall McAfee Content Security Reporter 18 McAfee Content Security Reporter 1.0.
PAGE 19
3 Configure the database McAfee Content Security Reporter uses a database to store data from log files. Set up a database that is appropriate for the size of your organization and the amount of data it generates using the default internal database, or one of a selection of external databases. Introduction to database use in McAfee Content Security Reporter McAfee Content Security Reporter comes with an internal database.
PAGE 20
3 Configure the database Introduction to database use in McAfee Content Security Reporter • For a small- to medium-size organization • Evaluating Content Security Reporter View information about the internal database The internal database requires no additional configuration, but you can view its settings such as its port number and logon information. Use the internal database if you will accumulate less than 50 GB of data. It stores data when Content Security Reporter processes log files.
PAGE 21
Configure the database Introduction to database use in McAfee Content Security Reporter 3 External database use Use an external database when you have more than 50 GB of data to store. Connect McAfee Content Security Reporter to one of these supported external database platforms to store report data: • MySQL v5.0 • Microsoft SQL Server 2005 • Microsoft SQL Server 2008 You can install the Content Security Reporter and the external database on the same computer or on separate computers.
PAGE 22
3 Configure the database Introduction to database use in McAfee Content Security Reporter Database page and Edit Database dialog box See information about the database connection status, and get access to database configuration options. Database page To change any of the settings displayed on the Database page, click Edit. Table 3-1 Option definitions Option Definition Advanced Displays the Advanced Database Status dialog box to see more information about the currently connected database.
PAGE 23
Configure the database Introduction to database use in McAfee Content Security Reporter 3 Task 1 Select Menu | Configuration | Report Server Settings. 2 Click Database, then click Edit. 3 Set the database online or offline. 4 Click Save to confirm the change. Execute SQL use Use the Execute SQL feature when you are working with technical support. Execute SQL opens a window that enables a reporting administrator to provide and execute SQL statements.
PAGE 24
3 Configure the database Introduction to database use in McAfee Content Security Reporter 24 McAfee Content Security Reporter 1.0.
PAGE 25
4 Maintain the database Database maintenance options allow you to perform tasks that increase database performance and free database space.
PAGE 26
4 Maintain the database Database maintenance Set up regular database maintenance tasks To reduce the load on the Content Security Reporter database, configure when and how you want to manage the number of records. Task For option definitions, click ? in the interface. 1 Select Menu | Configuration | Report Server Settings. 2 Click Database Maintenance, then click Edit. 3 To set how often you want database maintenance tasks to be carried out, click Set Schedule.
PAGE 27
4 Maintain the database Database maintenance Table 4-1 Option definitions (continued) Option Definition Index maintenance Index maintenance prevents or corrects performance issues. By default, indexes are rebuilt on the first Sunday of each month. Ensure that you schedule index maintenance on a day that you normally schedule your database maintenance.
PAGE 28
4 Maintain the database Database maintenance 6 Click Save. 7 Select Database Maintenance | Status to see progress for scheduled maintenance jobs that have completed or are running. Rebuild indexes Perform index rebuilding to prevent or correct performance issues. Over time, there are many changes made to database indexes that result in degraded performance. Degraded performance occurs when the index becomes fragmented.
PAGE 29
Maintain the database Manual Maintenance page 4 Task For option definitions, click ? in the interface. 1 Select Menu | Configuration | Report Server Settings. 2 Click Database Maintenance, then click Edit. 3 Click Set Schedule, and specify how often you want the job to run, and when you want it to start. 4 Click OK. 5 Deselect the maintenance tasks that you do not want to happen as part of the maintenance job.
PAGE 30
4 Maintain the database Manual Maintenance page Task For option definitions, click ? in the interface. 1 Select Menu | Configuration | Report Server Settings. 2 Click Database Maintenance. 3 Click Manual Maintenance. 4 Configure maintenance by date range options, then click Start. 5 Click Yes when the confirmation message appears stating the database is not available during maintenance and asking if you want to continue. The deletion process starts immediately.
PAGE 31
Maintain the database Manual Maintenance page 4 Repopulate columns Repopulate custom and user-defined columns to apply settings to existing database records. Perform maintenance during off-peak times. During maintenance, the database and new queries and reports are not available. Task For option definitions, click ? in the interface. 1 Select Menu | Configuration | Report Server Settings. 2 Click Database Maintenance. 3 Click Manual Maintenance. 4 Click Repopulate Columns.
PAGE 32
4 Maintain the database View the status of database maintenance jobs 5 Click Yes to continue. The statistics job starts immediately. A message appears stating that the job is successfully queued. 6 Click OK to close the message. 7 Select Database Maintenance | Status to see progress for maintenance jobs that are completed or are running. View the status of database maintenance jobs View detailed information about each database maintenance job, including deletions and statistics.
PAGE 33
5 Log sources and log formats McAfee Content Security Reporter uses log sources to obtain data from log files from a filtering device. The log files contain web usage data that is used in reports. Choose a specific log format for each log source to determine how Content Security Reporter processes (also called parsing) the log files. Content Security Reporter processes the log files and stores the data in a database you set up in Content Security Reporter.
PAGE 34
5 Log sources and log formats Log sources overview • FTP Server • A directory on the report server Log formats Log formats determine how Content Security Reporter processes (also called parsing) data from log files and stores it in the database. Accurate reports depend on Content Security Reporter using the correct log format to recognize the type of data and store it correctly in the database. Content Security Reporter is set up to recognize the structure of various log formats.
PAGE 35
Log sources and log formats Log Sources page 5 Log Sources page See a list of available log sources, and find one quickly. Enable, add, duplicate, delete, disable, import and process log files immediately from this page Table 5-1 Option definitions Option Definition Show Filter / Hide Filter Displays the Quick find feature. Log Source details Type the name of the log source and click Apply to search for that text. Click Clear to remove the search term from the Quick find field.
PAGE 36
5 Log sources and log formats Log Sources page Table 5-2 Option definitions Option Definition Name Type the name that you want to associate with this particular log source Mode Either: • Accept incoming log files — For organizations with web filtering devices that write their own log files and have the ability to send the log files to another location (such as the McAfee Content Security Reporter server) • Collect log files from — For organizations using devices that write their own log files, but ar
PAGE 37
Log sources and log formats Log Sources page 5 Statistics page Displays cumulative log statistics for all the logs processed since the record was last refreshed or reset.
PAGE 38
5 Log sources and log formats Log Sources page Guide to User-Defined Columns On the User-Defined Columns tab, you can substitute column data values with a string that is more recognizable for you and get data from log file fields that might normally be skipped. The User-Defined Columns feature is separate from the Custom Columns feature, but is also used during log file processing to substitute column data or obtain data from columns that are normally skipped during this process.
PAGE 39
Log sources and log formats Log Sources page 5 Task For option definitions, click ? in the interface. 1 Select Menu | Configuration | Report Server Settings. 2 Click Log Source, then from the Actions menu, click New. 3 Select the User-Defined Columns tab. 4 Configure up to four user-defined columns using the available options, and click OK.
PAGE 40
5 Log sources and log formats Log Sources page Move log file data into the database Use these additional steps to put log file data into your database when your log source is set to accept incoming log files or collect log files, or when you want to process a normally scheduled log file immediately. Any log processing jobs interrupted when Content Security Reporter is restarted will automatically resume.
PAGE 41
Log sources and log formats Job Queue page 4 Browse to the log file you want to import. 5 Click Open. 5 A message confirms that the selected log file is imported. 6 Click OK. Content Security Reporter processes the log file and the processing status appears on the Current Jobs tab. Job Queue page See a list of log processing jobs that are completed, or currently in progress. Table 5-6 Option definitions Option Definition Show Filter / Hide Filter Displays the Quick find feature.
PAGE 42
5 Log sources and log formats Custom columns Each custom column uses a rule set that is already configured to take technical data values from the browser or cache columns and substitute the value with common identifiers, making the browser and cache data in your reports more recognizable. Figure 5-2 Custom Columns — Edit Rule Set dialog box Custom Column list Content Security Reporter comes with some pre-defined custom columns for you to use as in their default state, or to edit as necessary.
PAGE 43
5 Log sources and log formats Rule sets Table 5-8 Option definitions (continued) Option Definition Rules Shows the list of rules that are in that rule set, their priority in the list, and the replacement text that appears in the custom columns. Actions • Export Rule Set — Creates a file based on the data in the rule set that can be used to import in to another rule set. • Import Rule Set — Select the rule set whose descriptions and rules details you want to import. The name is not imported.
PAGE 44
5 Log sources and log formats Rule sets Custom Rule Sets page Displays information about created rule sets Table 5-9 Option definitions Option Definition Show Filter / Hide Filter Displays the Quick find feature. Name of Custom Rule Set Shows the name of the rule set. Actions • Delete — Removes a selected rule set from the list. Type a search term and click Apply to search all the rows that contain the text that is in the name column.
PAGE 45
Log sources and log formats Browse time threshold 5 Configure rule sets Add, edit, copy, and delete rule sets for use with user-defined columns to appear in your queries and reports. Rule sets are used in user-defined columns for use during log file processing. Task For option definitions, click ? in the interface. 1 Select Menu | Configuration | Report Server Settings. 2 Click Log Sources, then click Custom Rule Sets. 3 Select the Actions menu, then click New.
PAGE 46
5 Log sources and log formats Browse time threshold 46 McAfee Content Security Reporter 1.0.
PAGE 47
6 Queries, reports, and dashboards McAfee Content Security Reporter installs several queries, reports, and dashboards to ePolicy Orchestrator that aim to provide a complete overview of available report server data. The set of default Content Security Reporter queries, reports, and dashboards can be used as they are, or copied and edited to create new customized versions.
PAGE 48
6 Queries, reports, and dashboards Content Security Reporter reports Task For option definitions, click ? in the interface. 1 In McAfee ePolicy Orchestrator, select Queries & Reports in the menu bar, and select New from the Actions menu. 2 From the Database Type drop-down list, select Content Security Reporter. The Query Builder opens with the Result Type view active. 3 Select Web Summary, and click Next to move to the Chart page.
PAGE 49
Queries, reports, and dashboards Content Security Reporter reports • The most used websites and applications • The biggest security threats to your organization 6 Configure reports Set up and run customized reports using data available from your configured queries. Before you begin By default, you must have administrator rights to be able to view, modify, and run existing reports as well as add new reports.
PAGE 50
6 Queries, reports, and dashboards Content Security Reporter dashboards 6 Select the report, its language, and whether you want to export the contents to a file, or send it to someone else, or run another command. If you are exporting to a file, you must specify a destination directory before you can continue. 7 Click Next to move to the Schedule page. 8 Use the options to specify when you want the report to run, and for how long. 9 Click Next to view a summary of the report settings.
PAGE 51
Queries, reports, and dashboards Content Security Reporter dashboards 4 Click Add Monitor, and from the View drop-down menu, click Queries. 5 Drag the Queries icon onto the configuration area to open the New Monitor dialog box. 6 From Monitor Content, select the Bandwidth Consumption by Log Source query, then set how often you want the data to refresh on the dashboard. 7 Use the default database, and click OK. 6 You have the option to save or discard your changes.
PAGE 52
6 Queries, reports, and dashboards Content Security Reporter dashboards 52 McAfee Content Security Reporter 1.0.
PAGE 53
7 Performance, maintenance, and management features Performance options for the McAfee Content Security Reporter database and system allow you to optimize performance so that McAfee Content Security Reporter runs efficiently. Performance optimization involves configuring specific settings, such as system cache, memory allocation, and so on, to increase performance in McAfee Content Security Reporter. Configure settings that work best for your McAfee Content Security Reporter environment.
PAGE 54
7 Performance, maintenance, and management features Performance Options page Performance Options page Allocate the amount of memory devoted to Content Security Reporter, and the number of jobs that can process at any one time. Table 7-2 Option definitions Option Definition Memory Displays the current amount of memory. Click Edit to open the Memory dialog box where you can set a new memory allocation or restore the default setting.
PAGE 55
Performance, maintenance, and management features Performance Options page 7 Table 7-3 Option definitions (continued) Option Definition Current Memory Usage Shows the estimated total amount of memory taken up by the cache's entries. Actions • Choose Columns — Selects which columns you want to display, and the order they appear in. Additional columns are available.
PAGE 56
7 Performance, maintenance, and management features System Backup page Table 7-5 Option definitions (continued) Option Definition Current Memory Usage Shows the estimated total amount of memory taken up by the cache's entries. Actions Opens more options: • Choose Columns — Selects which columns you want to display, and the order they appear in. Additional columns are available. • Edit — Opens the Cache Settings dialog box to edit the maximum number of entries that can be stored in the summary cache.
PAGE 57
7 Performance, maintenance, and management features System Backup page Configuration settings backup Back up specific report and administration configuration settings through the user interface. When McAfee Content Security Reporter creates a backup file, it automatically saves specific settings for reports and administration.
PAGE 58
7 Performance, maintenance, and management features Support page Restore Content Security Reporter settings Restore the configuration settings when you need to return to previous settings or after you remove and re-install the software. Before you begin Click Menu | Configuration | Report Server Settings | System Backup to back up the configuration before completing these steps.
PAGE 59
Performance, maintenance, and management features Support page 7 Support for troubleshooting purposes. Feedback files are stored in your Content Security Reporter program directory. Table 7-8 Option definitions Option Definition Support Describes what information is collected in the feedback file, and where the file is stored. Start Generates the feedback file. McAfee Content Security Reporter 1.0.
PAGE 60
7 Performance, maintenance, and management features Support page 60 McAfee Content Security Reporter 1.0.
PAGE 61
A Automatic-discover log formats McAfee Content Security Reporter supports some automatic-discover log formats. However, some modifications to the log file headers are necessary for Content Security Reporter to correctly parse the data.
PAGE 62
A Automatic-discover log formats Table A-1 Blue Coat header formats (continued) Format in extended log file Custom Content policy language Description cs-method Request method used from client to appliance cs-request-line First line of the client’s request c-dns %h cs-uri cs-uri-address Host name of the client (using the client’s IP address to avoid reverse DNS) • url • Original URL requested • log_url • The log URL • url.
PAGE 63
Automatic-discover log formats A Table A-1 Blue Coat header formats (continued) Format in extended log file Custom Content policy language Description cs-uri-hostname • Host name from the original URL requested; RDNS is used if the URL is expressed as an IP address • url.hostname • log_url.hostname • Host name from the log URL; RDNS is used if the URL uses an IP address cs-uri-path • blank • url.
PAGE 64
A Automatic-discover log formats Table A-1 Blue Coat header formats (continued) Format in extended log file Custom Content policy language Description gmttime %t GMT date and time of the user request in [DD/MM/ YYYY:hh:mm:ss GMT] format localtime %L Local date and time of the user request in [DD/MMM/ YYYY:hh:mm:ss +nnnn] format rs(Content-Type) %c response.header.
PAGE 65
Automatic-discover log formats A Table A-1 Blue Coat header formats (continued) Format in extended log file Custom Content policy language Description x-cs-username-or-ip Used to identify the user using either their authenticated proxy user name or, if that is unavailable, their IP address x-sc-http-status http.response.
PAGE 66
A Automatic-discover log formats 66 McAfee Content Security Reporter 1.0.
PAGE 67
B Fixed-field log formats McAfee Content Security Reporter supports some fixed-field log formats that do not require any header changes. Content Security Reporter correctly parses the data from these log files without any modifications. The following table provides information about supported log file formats that are not automatic-discover in Content Security Reporter. This table includes examples of the expected header information found in the corresponding log file format.
PAGE 68
B Fixed-field log formats Table B-1 Non-automatic-discover log file formats (continued) Log file type Expected formats Examples McAfee Firewall Enterprise SFv4 - Text Format client_ip - user_1 [time_stamp] "GET url" http_status sf_action sf_cats 172.17.68.177 - jlock [28/Jun/2004:11:44:54] "GET http://www.msn.com" 403 COACH "Portal Sites" SmartFilter Software IFP SFv4 - Text Format client_ip - user_1 [time_stamp] "GET url" http_status sf_action sf_cats 172.17.68.
PAGE 69
Index A about this guide 5 accept incoming log files about 33 accept real-time log data about 33 Actions menu options 15 administrators about 7 automatic-discover log formats list of 61 B backup current configuration 57 internal database 20 settings 57 backup folder 57 Blue Coat header formats 61 browse time threshold 45 browsers supported 11 C categories log source setup 39 multiple 39 collect log files from about 33 columns custom 41 user-defined 38 configuration backup 57 Content Security Reporter 57
PAGE 70
Index D dashboards create new 50 monitors 50 overview 50 data on dashboards 50 database server 13 databases maintenance 31 delete records 29 execute SQL 23 external 21 internal 19, 20 introduction 7 log source 30 maintenance overview 25 maintenance statistics 31, 32 offline 22 online 22 overview 19 rebuild index manually 31 records 31 records maintenance 27, 29, 30 records update overview 30 repopulate columns 31 repopulate columns overview 30 schedule maintenance 26 schedule records maintenance 27 statist
PAGE 71
Index J jobs maintenance statistics 32 L license 11 locale log source setup 39 log data database 40 import 40 log fields custom value 38 skipped 38 log files accept incoming 40 collect 33 custom columns 34, 41 custom rule sets 34, 43 FTP 40 get log files 40 HTTP 40 HTTPS 40 import 33 import now 40 incoming 33 log loader 40 page views 39 process now 40 real-time 33 retrieve 40 schedule processing 37 user-defined columns 34, 38, 43 log formats about 34 automatic-discover list of 61 fixed-field list of 67 pa
PAGE 72
Index multiple categories log source setup 39 My ISAM 19 MySQL backup and restore database 20 external database 21 supported 19 O operating systems supported 11 P page views about 39 log source setup 39 parsing logs 34 passkey 12 performance index, rebuild 28 memory allocation 54 permissions remove extensions 16 remove software 17 restore settings 58 setting 7 processing incoming log files 40 log file data 40 log records 39 processing logs schedule 37 remove Content Security Reporter overview 16 extensi
PAGE 73
Index SQL Server (continued) supported 19 statistics maintenance jobs 31 maintenance status 32 refresh data 32 Status maintenance results 31 maintenance statistics 32 system requirements 11 system settings backup 57 restore 58 T Technical Support, finding product information 6 troubleshooting back up configuration 57 restore settings 58 U uninstall Content Security Reporter overview 16 extensions 16 McAfee Content Security Reporter 1.0.
PAGE 74
700-3703A00