Skip to main content

Check out Interactive Visual Stories to gain hands-on experience with the SSE product features. Click here.

Skyhigh Security

How to Collect Logs from Web Gateway using Log Source

Version

Content Security Reporter 2.x

Secure Web Gateway

Description

Prerequisites:

  • Basic knowledge of a WG cluster.
  • The SWG appliance to be used must be active and reachable during the configuration of log source.
  • CSR collects logs from SWG over the REST interface. Make sure that you enable the REST interface on the SWG appliance.

How To Configure

A single WG log source can collect logs from a single WG appliance. If you use CSR to collect logs from multiple WG appliances in a cluster, you must configure one log source per appliance in the cluster.

To configure a WG log source in CSR:

  1. Navigate to Report Server Settings > Log Sources > Actions > New.
  2. Type a name for the log source.
  3. For the Mode select Collect log files from > Skyhigh Web Gateway.
  4. Leave the Log Format at Skyhigh Web Gateway (Webdasher) - Auto Discover.

NOTE: Now you see the configuration panel for the log source in the Source tab. You must complete all fields in this section for the log source to be saved.

  • Device Address

This address represents the host name or IP address of the WG appliance that CSR contacts to collect logs. If you have a WG cluster, you can collect logs from the other appliances in the cluster using the single Device address, although you must set up one log source per WG appliance. We recommend that you use the appliance address that's typically used to access the GUI of WGs for configuration management. The same rules that apply to the WG user interface also apply to the REST interface. So, you can have only one node that has a GUI attached in a cluster at any given time.

  • Port

This port represents the port of the REST interface that's enabled on the WG appliance. You see the option Connect Using SSL/TLS follow this field. This option is used to dictate whether CSR tries to communicate to WG on the port specified over a secure channel.

  • Logon Name

The logon name of a WG user that has 'REST-Interface accessible' permissions.

  • Password

From the WG user with REST permissions.

  • Appliance name (UUID)

CSR requires the WG appliance UUID to collect logs from that appliance. Populate the previous fields and click Browse. Then, log on to the WG appliance that has been specified to return an appliance list and that CSR can collect logs from. Select the appliance and select OK.

  • Log File Base Name

The default log file base name of the access logs on WG is 'access.log', but WG 7.x allows you to rename the access log files if needed.

NOTE: WG appends a time stamp to the file name when a log has been rotated. CSR still collects log files with the time stamp in the file name as long as the log file base name matches the one specified.

  • Automatically collect logs from a node with an active GUI

A WG cluster can have only one GUI-attached appliance at any given time. You can attach multiple GUIs to the GUI-attached appliance at a time. But, it's impossible to access the GUI of another appliance in a cluster when one is already attached somewhere else.

This CSR feature to automatically collect logs from the node with the active GUI is meant to avoid log collection failures. A failure can occur if a log collection attempt is made when a GUI is attached to an appliance in the cluster other than the one specified in Device address. If you select this option and there's a GUI attached somewhere else when logs are collected, CSR takes the information provided by the WG error response to determine where the GUI is attached. CSR then tries to log on to the GUI-attached appliance to collect logs for the appliance specified in Appliance Name (UUID) for that log source. This option is best used as a safety mechanism rather than something used as a daily operational feature.

CSR doesn't downgrade log collection security. If you configure your log source to use SSL/TLS and WG provides a non-secure location for the GUI-attached node, CSR doesn't collect logs through the appliance where the GUI is attached.

To determine whether a log file can be read using the settings specified for this log source, select Test.

NOTE: Test doesn't test the option to Automatically collect logs from a node with an active GUI.

Troubleshooting

The CSR server log is the best place to look for issues that might be encountered with WG log collection. The Test function provides a means for useful feedback in multiple situations, but in general, the server log messages contain more detailed information. The following examples show server log entries and what they mean:

 

  • 2012-12-30 02:16:08,314 ERROR [com.skyhigh.mesa.logparsing.frontends.webgateway7getter.WebGateway7Getter] MWG 7 test failed with HTTP status code 401. Detailed reason: Check user name and password.

The message isn't generic and actually indicates that there seems to be an issue with the username and password combination.

  • 2012-12-30 02:12:29,321 ERROR [com.skyhigh.mesa.logparsing.frontends.webgateway7getter.WebGateway7Getter] Login attempt to MWG 7 failed with HTTP status code 401. Detailed reason: User rest1 is already logged in.

By default, WG allows only one logged-in session per user account. See the WG documentation on how to allow multiple logons per user account.

  • 2012-12-30 01:35:28,236 ERROR [com.skyhigh.mesa.logparsing.frontends.webgateway7getter.WebGateway7Getter] The MWG 7 redirect was not followed because it is not a secure redirect and SSL/TLS is enabled for this log source.

This message indicates that the Automatically collect logs from node with active GUI option is selected. It also indicates that somebody is logged on to a node during a log collect that's other than the one specified in the CSR Device address settings. The problem here occurs because the log source is configured in CSR to collect logs using SSL/TLS and the redirect from WG is for an HTTP address. CSR doesn't downgrade the security option and has no information about how to reach the secure REST port. The result is that the redirect isn't followed and the log collection fails.

  • 2012-12-30 14:54:17,086 ERROR [com.xxxxxx.mesa.logparsing.frontends.webgateway7getter.WebGateway7Getter] Login attempt to MWG 7 failed with HTTP status code 403. Detailed reason: user admin has no rights to access the REST-Interface

The user 'admin' in this case has no REST-interface rights and can’t access the REST interface for log collection. For information about setting up a user account to have REST-interface rights, see the WG documentation.

  • Was this article helpful?