Configure Log Sources
Configure the log sources that collect the data used in dashboards and reports.
NOTES:
- The fields displayed on the Source tab differ depending on which option you choose.
- Approximately 1 GB of temporary space is needed on the Content Security Reporter server for every GB of log data collected and processed.
- Log records with HTTP status code 407 not processed by Content Security Reporter.
To configure log sources:
- Choose the log source mode and format.
- Select Menu > Configuration > Report Server Settings.
- From the Setting Categories menu, select Log Sources.
- From the Actions menu, select New.
- On the New Log Source page, type a name for the log source and configure the remaining options.
- Configure user-defined columns.
- Click the User-Defined Columns tab.
- Select the Populate this column checkbox.
- Select and configure up to four user-defined columns.
NOTES:
- If the log record is not found in the Log record drop-down list, use the Log file header field to define a header.
- When entering a value in the Log file header field, avoid using quotation marks.
- Create a schedule for processing logs.
NOTE: The Schedule tab is only available when the Collect log files from mode is selected.- Click the Schedule tab.
- Specify the frequency, date, and time. Enter a time in the Every field to collect logs. The minimum value is 2 minutes.
- Configure processing and post-processing options.
- Click the Processing or Post-Processing tabs.
- Configure the options.
- Configure the directories.
- Click the Directory tab.
- From the Available directories list, select the directories, then click Add.
- Click OK.
Create a Skyhigh Network Security Manager MySQL account
Create the MySQL database user account that Content Security Reporter uses to access Skyhigh Security Network Security Manager log sources.
NOTE: Skyhigh Security recommends that you create a MySQL database user account specifically for communication between Content Security Reporter and Skyhigh Security Network Security Manager.
- Locate the Skyhigh Security Network Security Manager MySQL installation folder.
Example: C:\Program Files (x86)\McAfee\Network Security Manager\MySQL- Open a command prompt and type:
cd <MySQL installation folder>\bin
- Press Enter.
- Open a command prompt and type:
- Log on to MySQL.
- On the command prompt, type:
mysql --user=root mysql -p
- Press Enter.
- When prompted, type your password.
- On the command prompt, type:
- Create the user account.
- On the command prompt, type:
CREATE USER 'user_name'@'<ip_address>' IDENTIFIED BY 'some_password';
- Press Enter.
- Grant permissions to the account for the appropriate database and tables.
- On the command prompt, type:
GRANT SELECT ON <database_name>.* TO 'user_name'@'<ip_address>';
- Press Enter.
- On the command prompt, type:
TIPS:
- The default
<database_name>
islf
. - <ip_address> is the Content Security Reporter server IP address.
For more information about adding user accounts, see the MySQL 5.0 Reference Manual.
Configure ATD log sources
To collect Skyhigh Security Advanced Threat Defense data, configure the Web Gateway and Advanced Threat Defense log sources.
Prerequisite
Content Security Reporter uses Web Gateway to collect Advanced Threat Defense scan result data. Before you configure Advanced Threat Defense log sources, verify that the Advanced Threat Defense settings are configured on Web Gateway.
- To create each log source, follow these steps:
- Select Menu > Configuration > Report Server Settings.
- From the Setting Categories menu, select Log Sources.
- From the Actions menu, select New.
- In the New Log Source page, enter the unique log source name in the Name field.
- Verify that the Enable log source checkbox is selected.
- To configure the Web Gateway log source, choose from one of these options.
Web Gateway log source configuration options
Task | Steps |
---|---|
Enable Content Security Reporter to accept incoming Web Gateway log files. |
|
Enable Content Security Reporter to collect log files from Web Gateway. |
|
- To configure the Advanced Threat Defense log source, choose from one of these options.
Advanced Threat Defense log source configuration options
Task | Steps |
---|---|
Enable Content Security Reporter to accept incoming Advanced Threat Defense log files. |
|
Enable Content Security Reporter to collect log files from Advanced Threat Defense. |
|
Configure Content Security Reporter to accept log sources from Skyhigh Security Web Gateway Cloud Service
You can configure Content Security Reporter to receive log sources from Skyhigh Security WGCS.
- From the Trellix ePO menu, select Configuration > Report Server Settings.
- From the Setting Categories, select Log Sources.
- From the Actions menu, select New.
- On the New Log Source page, enter a unique log source name in the Name field, then select Enable log source.
- To configure the Skyhigh Security Web Gateway Cloud Service log source, choose from one of these options.
Results
Skyhigh Security Web Gateway Cloud Service log source configuration options
Task | Steps |
---|---|
Enable Content Security Reporter to accept incoming Skyhigh Security Web Gateway Cloud Service log files. |
|
Enable Content Security Reporter to collect log files from Skyhigh Security Web Gateway Cloud Service |
|
NOTE: For information about analyzing the log sources using your own on-premise reporting solution, see the Skyhigh Security Web Gateway Cloud Service Product Guide.
NOTE: For more information on configuring Content Security Reporter, see Skyhigh Security Knowledge Base article KB91327.
Avoiding peak load on Web Gateway Cloud Service
To avoid peak load on Skyhigh Security Web Gateway Cloud Service Database, Content Security Reporter disables scheduling of log time in the top notch hours.
Skyhigh Security Web Gateway Cloud Service logs that were scheduled to run at top of the hour in previous Content Security Reporter version are now rescheduled.
For example, if the log was scheduled to pull the log at 10 AM, Content Security Reporter reschedules it to any time between 10.1 to 10.9.
Configure a region
You can configure a region to add new Geographies apart from the default regions added in Content Security Reporter. This is only applicable to log source with Skyhigh Security Web Gateway Cloud Service.
In the Source tab of the New Log Source, you have six regions added as default from where log files can be collected.
Check the status of Running logs
To check the logs that are currently processing, view the list of running jobs.
- Select Menu > Configuration > Report Server Settings.
- From the Setting Categories menu, select Log Sources.
- Click the Current Jobs tab.
- To update the status of jobs currently running, click Refresh.
Check the statistics for processed logs
View the statistics for logs processed by Content Security Reporter.
- Select Menu > Configuration > Report Server Settings.
- From the Setting Categories menu, select Log Sources.
- Click the Statistics tab.
- To update the Cumulative log statistics or Syslog client statistics, click Refresh.
Manage log processing jobs
Manage the list of log processing jobs that are queued, running, or completed.
- Select Menu > Configuration > Report Server Settings.
- From the Setting Categories menu, select Log Sources > Job Queue.
- From the Actions menu, select a task you want to perform.
Modify custom column rule sets
Modify the data string sets for the corresponding custom columns used during log file processing.
- Select Menu > Configuration > Report Server Settings.
- From the Setting Categories menu, select Log Sources > Custom Columns.
- From the Actions list, select Edit Rule Set.
- On the Edit Rule Set page, select New from the Actions menu.
- On the New Rule page, type the data string value in the Replace field.
- From the With menu, choose any additional characters, then click OK.
Create user-defined column rule sets
Create custom rule sets for the user-defined columns used during log file processing.
- Select Menu > Configuration > Report Server Settings.
- From the Setting Categories menu, select Log Sources > Custom Rule Sets.
- From the Actions menu, select New.
- Enter a name and description for the rule set.
- Add a data string to the Rules list.
- From the Actions menu, select New.
- From the New Rule page, type the data string value in the Replace field.
- From the With drop-down list, choose any additional characters, then click OK.
Configure browse time options
Choose the threshold and default time for estimated browsing session lengths.
- Select Menu > Configuration > Report Server Settings.
- From the Setting Categories menu, select Log Sources > Browse Time, then click Edit.
- On the Edit Browse Time page, select the time in minutes from the Browse time threshold menu.
- From the Default browse time menu, select the time in minutes, then click Save.
Import a single log file
Import log files from a directory on the client computer.
NOTE: To avoid errors, verify that the log file format matches the log source in your imported log files.
- Select Menu > Configuration > Report Server Settings.
- From the Setting Categories menu, select Log Sources.
- Select a log source.
- From the Actions menu, select Import Log.
- On the Import Log page, click Browse, find the log file you want to import, then click Open
- A message confirms that the selected log file is imported.
- Click OK.