Skip to main content

Check out Interactive Visual Stories to gain hands-on experience with the SSE product features. Click here.

Skyhigh Security

Configure Log Sources

Configure the log sources that collect the data used in dashboards and reports.

NOTES:

  • The fields displayed on the Source tab differ depending on which option you choose.
  • Approximately 1 GB of temporary space is needed on the Content Security Reporter server for every GB of log data collected and processed.
  • Log records with HTTP status code 407 not processed by Content Security Reporter.

To configure log sources:

  1. Choose the log source mode and format.
    1. Select Menu > Configuration > Report Server Settings.
    2. From the Setting Categories menu, select Log Sources.
    3. From the Actions menu, select New.
    4. On the New Log Source page, type a name for the log source and configure the remaining options.
  2. Configure user-defined columns.
    1. Click the User-Defined Columns tab.
    2. Select the Populate this column checkbox.
    3. Select and configure up to four user-defined columns.

NOTES:

  • If the log record is not found in the Log record drop-down list, use the Log file header field to define a header.
  • When entering a value in the Log file header field, avoid using quotation marks.
  1. Create a schedule for processing logs.
    NOTE: The Schedule tab is only available when the Collect log files from mode is selected.
    1. Click the Schedule tab.
    2. Specify the frequency, date, and time. Enter a time in the Every field to collect logs. The minimum value is 2 minutes.  
  2. Configure processing and post-processing options.
    1. Click the Processing or Post-Processing tabs.
    2. Configure the options.
  3. Configure the directories.
    1. Click the Directory tab.
    2. From the Available directories list, select the directories, then click Add.
  4. Click OK.

Create a Skyhigh Network Security Manager MySQL account

Create the MySQL database user account that Content Security Reporter uses to access Skyhigh Security Network Security Manager log sources.

NOTE: Skyhigh Security recommends that you create a MySQL database user account specifically for communication between Content Security Reporter and Skyhigh Security Network Security Manager.

  1. Locate the Skyhigh Security Network Security Manager MySQL installation folder.
    Example: C:\Program Files (x86)\McAfee\Network Security Manager\MySQL
    1. Open a command prompt and type:
      cd <MySQL installation folder>\bin
    2. Press Enter.
  2. Log on to MySQL.
    1. On the command prompt, type:
      mysql --user=root mysql -p
    2. Press Enter.
    3. When prompted, type your password.
  3. Create the user account.
  4. On the command prompt, type:
    CREATE USER 'user_name'@'<ip_address>' IDENTIFIED BY 'some_password';
  5. Press Enter.
  6. Grant permissions to the account for the appropriate database and tables.
    1. On the command prompt, type:
      GRANT SELECT ON <database_name>.* TO 'user_name'@'<ip_address>';
    2. Press Enter.

TIPS: 

  • The default<database_name>is lf.
  • <ip_address> is the Content Security Reporter server IP address.

For more information about adding user accounts, see the MySQL 5.0 Reference Manual.

Configure ATD log sources

To collect Skyhigh Security Advanced Threat Defense data, configure the Web Gateway and Advanced Threat Defense log sources.

Prerequisite

Content Security Reporter uses Web Gateway to collect Advanced Threat Defense scan result data. Before you configure Advanced Threat Defense log sources, verify that the Advanced Threat Defense settings are configured on Web Gateway.

  1. To create each log source, follow these steps:
    1. Select Menu > Configuration > Report Server Settings.
    2. From the Setting Categories menu, select Log Sources.
    3. From the Actions menu, select New.
    4. In the New Log Source page, enter the unique log source name in the Name field.
    5. Verify that the Enable log source checkbox is selected.
  2. To configure the Web Gateway log source, choose from one of these options.

Web Gateway log source configuration options

Task Steps
Enable Content Security Reporter to accept incoming Web Gateway log files.
  1. From the Mode drop-down list, select Accept incoming log files, then select one of these options:
    • FTP(S) / HTTP(S)
    • Syslog
  2. From the Log format drop-down list, select Skyhigh Security Web Gateway (Webwasher) - Auto Discover.
  3. Configure the settings on the available tabs, then click OK.
Enable Content Security Reporter to collect log files from Web Gateway.
  1. From the Mode drop-down list, select Collect log files from, then select one of these options:
    • Secure Web Gateway 6.x (Webwasher)
    • Secure Web Gateway 7.x
  2. Configure the Web Gateway Server settings, then click Test.
  3. If the settings are correct, configure the settings on the remaining tabs, then click OK.
  1. To configure the Advanced Threat Defense log source, choose from one of these options.

Advanced Threat Defense log source configuration options

Task Steps
Enable Content Security Reporter to accept incoming Advanced Threat Defense log files.
  1. From the Mode drop-down list, select Accept incoming log files, then select one of these options:
    • FTP(S) / HTTP(S)
    • Syslog
  2. From the Log format drop-down list, select Skyhigh Security Web Gateway (MATD) - Auto Discover.
  3. Configure the settings on the remaining tabs, then click OK.
Enable Content Security Reporter to collect log files from Advanced Threat Defense.
  1. From the Mode drop-down list, select Collect log files from > Skyhigh Security Web Gateway 7.x (MATD).
  2. Configure the Web Gateway Server settings, then click Test.
  3. If the settings are correct, configure the settings on the remaining tabs, then click OK.

Configure Content Security Reporter to accept log sources from Skyhigh Security Web Gateway Cloud Service

You can configure Content Security Reporter to receive log sources from Skyhigh Security WGCS.

  1. From the Trellix ePO menu, select Configuration > Report Server Settings.
  2. From the Setting Categories, select Log Sources.
  3. From the Actions menu, select New.
  4. On the New Log Source page, enter a unique log source name in the Name field, then select Enable log source.
  5. To configure the Skyhigh Security Web Gateway Cloud Service log source, choose from one of these options.

Results

Skyhigh Security Web Gateway Cloud Service log source configuration options

Task Steps
Enable Content Security Reporter to accept incoming Skyhigh Security Web Gateway Cloud Service log files.
  1. From the Mode drop-down list, select Accept incoming log files, then select one of these options:
    • FTP(S) / HTTP(S)
  2. From the Log format drop-down list, select Web Gateway Cloud Service.
  3. Configure the settings on the available tabs, then click OK.
Enable Content Security Reporter to collect log files from Skyhigh Security Web Gateway Cloud Service
  1. From the Mode drop-down list, select Collect log files from > Skyhigh Security Web Gateway Cloud Service.
  2. From the Log format drop-down list, select Web Gateway Cloud Service.
  3. Configure the Skyhigh Security Web Gateway Cloud Service settings, then click Test.
  4. Configure the settings on the available tabs, then click OK.

NOTE: For information about analyzing the log sources using your own on-premise reporting solution, see the Skyhigh Security Web Gateway Cloud Service Product Guide.

NOTE: For more information on configuring Content Security Reporter, see Skyhigh Security Knowledge Base article KB91327.

Avoiding peak load on Web Gateway Cloud Service

To avoid peak load on Skyhigh Security Web Gateway Cloud Service Database, Content Security Reporter disables scheduling of log time in the top notch hours.

Skyhigh Security Web Gateway Cloud Service logs that were scheduled to run at top of the hour in previous Content Security Reporter version are now rescheduled.

For example, if the log was scheduled to pull the log at 10 AM, Content Security Reporter reschedules it to any time between 10.1 to 10.9.

Configure a region

You can configure a region to add new Geographies apart from the default regions added in Content Security Reporter. This is only applicable to log source with Skyhigh Security Web Gateway Cloud Service.

In the Source tab of the New Log Source, you have six regions added as default from where log files can be collected.

Check the status of Running logs

To check the logs that are currently processing, view the list of running jobs.

  1. Select Menu > Configuration > Report Server Settings.
  2. From the Setting Categories menu, select Log Sources.
  3. Click the Current Jobs tab.
  4. To update the status of jobs currently running, click Refresh.

Check the statistics for processed logs

View the statistics for logs processed by Content Security Reporter.

  1. Select Menu > Configuration > Report Server Settings.
  2. From the Setting Categories menu, select Log Sources.
  3. Click the Statistics tab.
  4. To update the Cumulative log statistics or Syslog client statistics, click Refresh.

Manage log processing jobs

Manage the list of log processing jobs that are queued, running, or completed.

  1. Select Menu > Configuration > Report Server Settings.
  2. From the Setting Categories menu, select Log Sources > Job Queue.
  3. From the Actions menu, select a task you want to perform.

Modify custom column rule sets

Modify the data string sets for the corresponding custom columns used during log file processing.

  1. Select Menu > Configuration > Report Server Settings.
  2. From the Setting Categories menu, select Log Sources > Custom Columns.
  3. From the Actions list, select Edit Rule Set.
  4. On the Edit Rule Set page, select New from the Actions menu.
  5. On the New Rule page, type the data string value in the Replace field.
  6. From the With menu, choose any additional characters, then click OK.

Create user-defined column rule sets

Create custom rule sets for the user-defined columns used during log file processing.

  1. Select Menu > Configuration > Report Server Settings.
  2. From the Setting Categories menu, select Log Sources > Custom Rule Sets.
  3. From the Actions menu, select New.
  4. Enter a name and description for the rule set.
  5. Add a data string to the Rules list.
    1. From the Actions menu, select New.
    2. From the New Rule page, type the data string value in the Replace field.
    3. From the With drop-down list, choose any additional characters, then click OK.

Configure browse time options

Choose the threshold and default time for estimated browsing session lengths.

  1. Select Menu > Configuration > Report Server Settings.
  2. From the Setting Categories menu, select Log Sources > Browse Time, then click Edit.
  3. On the Edit Browse Time page, select the time in minutes from the Browse time threshold menu.
  4. From the Default browse time menu, select the time in minutes, then click Save.

Import a single log file

Import log files from a directory on the client computer.

NOTE: To avoid errors, verify that the log file format matches the log source in your imported log files.

  1. Select Menu > Configuration > Report Server Settings.
  2. From the Setting Categories menu, select Log Sources.
  3. Select a log source.
  4. From the Actions menu, select Import Log.
  5. On the Import Log page, click Browse, find the log file you want to import, then click Open
    • A message confirms that the selected log file is imported.
  6. Click OK.
  • Was this article helpful?