Configure a Log Source in CSR to Collect Logs from WG Using REST Interface
Version
Skyhigh Content Security Reporter (Skyhigh CSR) 2.x
Skyhigh Web Gateway (SWG)
Summary
Prerequisites
- Basic knowledge of an SWG cluster.
- The SWG appliance to be used in the log collection must be active and reachable during the configuration of the log source.
- CSR collects logs from SWG over the REST interface. Make sure that you enable the REST interface, Dashboards and Troubleshooting ( Log Files) roles to the account which is used to collect logs on the appliance.
Configuration
A single SWG log source can collect logs from a single SWG appliance. If you use CSR to collect logs from multiple SWG appliances in a cluster, you must configure one log source per appliance in the cluster.
To configure an SWG log source in CSR, perform the steps below:
- Go to Report Server Settings, Log Sources, Actions.
- In the Actions menu, click New.
- Type a name for the log source.
- For the Mode, select Collect log files from, and select Skyhigh Web Gateway in the drop-down list.
- Leave the Log format at Skyhigh Web Gateway (Webwasher) - Auto Discover.
NOTE: You now see the configuration panel for the log source in the Source tab. You must complete all fields in this section for the log source to be saved.
Device Address
This address represents the host name or IP address of the SWG appliance that CSR contacts to collect logs. If you have an SWG cluster, you can collect logs from the other appliances in the cluster using the single Device address, although you must set up one log source per SWG appliance. We recommend that you use the appliance address that's typically used to access the GUI of SWGs for configuration management. The same rules that apply to the SWG user interface also apply to the REST interface. So, you can have only one node that has a GUI attached in a cluster at any given time.
Port
This port represents the port of the REST interface that's enabled on the SWG appliance. At the time this article was written, the REST interface was on the same port as that of the regular user interface. You see the option Connect Using SSL/TLS follow this field. This option is used to dictate whether CSR tries to communicate to SWG on the port specified over a secure channel.
Logon Name
The logon name of an SWG user that has 'REST-Interface accessible' permissions.
Password
The password of the SWG user with REST permissions.
Appliance Name (UUID)
CSR requires the SWG appliance UUID to collect logs from that appliance. Populate the previous fields and click Browse. Then, log on to the SWG appliance that has been specified to return an appliance list and that CSR can collect logs from. Select the appliance and click OK.
Log File Base Name
The default log file base name of the access logs on SWG is 'access.log', but SWG 7.x and above allows you to rename the access log files if needed.
NOTE: SWG appends a time stamp to the file name when a log has been rotated. CSR still collects log files with the time stamp in the file name as long as the log file base name matches the one specified.
Automatically collect logs from a node with an active GUI
As previously noted, an SWG cluster can have only one GUI-attached appliance at any given time. You can attach multiple GUIs to the GUI-attached appliance at a time. But, it's impossible to access the GUI of another appliance in a cluster when one is already attached somewhere else.
This CSR feature to automatically collect logs from the node with the active GUI is meant to avoid log collection failures. A failure can occur if a log collection attempt is made when a GUI is attached to an appliance in the cluster other than the one specified in Device address. If you select this option and there's a GUI attached somewhere else when logs are collected, CSR takes the information provided by the SWG error response to determine where the GUI is attached. CSR then tries to log on to the GUI-attached appliance to collect logs for the appliance specified in Appliance Name (UUID) for that log source. This option is best used as a safety mechanism rather than something used as a daily operational feature.
Also, note that CSR doesn't downgrade log collection security. If you configure your log source to use SSL or TLS and SWG provides a non-secure location for the GUI-attached node, CSR doesn't collect logs through the appliance where the GUI is attached.
To determine whether a log file can be read using the settings specified for this log source, click Test.
NOTE: Test doesn't test the option to Automatically collect logs from node with active GUI.
Troubleshooting
The CSR server log is the best place to look for issues that might be encountered with SWG log collection. The Test function provides a means for useful feedback in multiple situations, but in general, the server log messages contain more detailed information. The following examples show server log entries and what they mean:
- 2012-12-30 02:16:08,314 ERROR [com.mcafee.mesa.logparsing.frontends.webgateway7getter.WebGateway7Getter] MWG 7 test failed with HTTP status code 401. Detailed reason: Check user name and password
The message isn't generic and actually indicates that there seems to be an issue with the username and password combination. - 2012-12-30 02:12:29,321 ERROR [com.mcafee.mesa.logparsing.frontends.webgateway7getter.WebGateway7Getter] Login attempt to MWG 7 failed with HTTP status code 401. Detailed reason: User rest1 is already logged in
By default, SWG allows only one logged-in session per user account. See the SWG documentation on how to allow multiple logons per user account. - 2012-12-30 01:35:28,236 ERROR [com.mcafee.mesa.logparsing.frontends.webgateway7getter.WebGateway7Getter] The MWG 7 redirect was not followed because it is not a secure redirect and SSL/TLS is enabled for this log source.
This message indicates that the Automatically collect logs from node with active GUI option is selected. It also indicates that somebody is logged on to a node during a log collect that's other than the one specified in the CSR Device address settings. The problem here occurs because the log source is configured in CSR to collect logs using SSL or TLS and the redirect from SWG is for an HTTP address. CSR doesn't downgrade the security option and has no information about how to reach the secure REST port. The result is that the redirect isn't followed and the log collection fails. - 2012-12-30 14:54:17,086 ERROR [com.mcafee.mesa.logparsing.frontends.webgateway7getter.WebGateway7Getter] Login attempt to MWG 7 failed with HTTP status code 403. Detailed reason: user admin has no rights to access the REST-Interface
The user 'admin' in this case has no REST-interface rights and can’t access the REST interface for log collection. For information about setting up a user account to have REST-interface rights, see the SWG documentation.