McAfee Content Security Reporter 2.0.0

Transcription

1 Product Guide Revision A McAfee Content Security Reporter For use with epolicy Orchestrator Software

2 COPYRIGHT Copyright 2013 McAfee, Inc. Do not copy without permission. TRADEMARK ATTRIBUTIONS McAfee, the McAfee logo, McAfee Active Protection, McAfee AppPrism, McAfee Artemis, McAfee CleanBoot, McAfee DeepSAFE, epolicy Orchestrator, McAfee epo, McAfee EMM, McAfee Enterprise Mobility Management, Foundscore, Foundstone, McAfee NetPrism, McAfee Policy Enforcer, Policy Lab, McAfee QuickClean, Safe Eyes, McAfee SECURE, SecureOS, McAfee Shredder, SiteAdvisor, SmartFilter, McAfee Stinger, McAfee Total Protection, TrustedSource, VirusScan, WaveSecure, WormTraq are trademarks or registered trademarks of McAfee, Inc. or its subsidiaries in the United States and other countries. Other names and brands may be claimed as the property of others. LICENSE INFORMATION License Agreement NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND. 2 McAfee Content Security Reporter Product Guide

3 Contents Preface 5 About this guide Audience Conventions Find product documentation Introduction to Content Security Reporter 7 About Content Security Reporter Features Installation 11 Changes in epolicy Orchestrator System requirements Install Content Security Reporter Download the product files Install the software Install the extension Register the report server Report server settings 15 Log sources Log source modes Log formats User-defined columns Processing and post-processing Custom columns Custom rule sets Browse time Databases When to use an internal database When to use an external database View the server status Configure a log source Create a MySQL database user account View log processing jobs View log source statistics Manage log processing jobs View custom columns Configure rule sets Configure browse time options Import a single log file Configure the database Connect to the internal database Backup and restore the internal database Connect to an external database McAfee Content Security Reporter Product Guide 3

4 Contents Execute SQL Configure performance options Edit memory allocation Configure concurrent jobs Manage the log processing cache Manage the log processing summary cache Reporting 29 Monitoring with dashboards Default dashboards Custom dashboards Monitors Querying the database Queries Query Builder Reports Default reports Custom reports Configure a dashboard Create a dashboard Add monitors to dashboards Configure a query Running reports Schedule queries and reports Content Security Reporter maintenance 41 Maintain the database Configure automated database maintenance jobs Run manual database maintenance jobs Manage database maintenance jobs Maintain the system Configure automated system maintenance jobs Run manual system maintenance jobs Manage system maintenance jobs Collect system information for troubleshooting Upgrade Back up the current configuration Upgrade the software Update the database schema Uninstall Content Security Reporter Remove the report server Remove the extensions Remove the software System backup Back up configuration settings Restore configuration settings A Auto-discover log formats 51 B Fixed-field log formats 57 Index 59 4 McAfee Content Security Reporter Product Guide

5 Preface Contents About this guide Find product documentation About this guide This information describes the guide's target audience, the typographical conventions and icons used in this guide, and how the guide is organized. Audience McAfee documentation is carefully researched and written for the target audience. The information in this guide is intended primarily for: Administrators People who implement and enforce the company's security program. Conventions This guide uses these typographical conventions and icons. Book title, term, emphasis Bold User input, code, message Interface text Hypertext blue Title of a book, chapter, or topic; a new term; emphasis. Text that is strongly emphasized. Commands and other text that the user types; a code sample; a displayed message. Words from the product interface like options, menus, buttons, and dialog boxes. A link to a topic or to an external website. Note: Additional information, like an alternate method of accessing an option. Tip: Suggestions and recommendations. Important/Caution: Valuable advice to protect your computer system, software installation, network, business, or data. Warning: Critical advice to prevent bodily harm when using a hardware product. McAfee Content Security Reporter Product Guide 5

6 Preface Find product documentation Find product documentation McAfee provides the information you need during each phase of product implementation, from installation to daily use and troubleshooting. After a product is released, information about the product is entered into the McAfee online KnowledgeBase. 1 Go to the McAfee Technical Support ServicePortal at 2 Under Self Service, access the type of information you need: To access... User documentation Do this... 1 Click Product Documentation. 2 Select a product, then select a version. 3 Select a product document. KnowledgeBase Click Search the KnowledgeBase for answers to your product questions. Click Browse the KnowledgeBase for articles listed by product and version. 6 McAfee Content Security Reporter Product Guide

7 1 1 Introduction to Content Security Reporter McAfee Content Security Reporter (Content Security Reporter) is a reporting software solution that helps you understand Internet and usage, and IPS alert data within your organization. Contents About Content Security Reporter Features About Content Security Reporter Content Security Reporter collects data from devices on the network and manages it in a central database. The collected data information helps you to identify these issues in your organization: Liability exposure Productivity loss Bandwidth overload Security threats Once identified, you can use this information to modify your Internet, , and IPS policies to effectively enforce network protection. How it works Content Security Reporter is composed of several elements that work together to provide reporting capabilities. McAfee Content Security Reporter Product Guide 7

8 1 Introduction to Content Security Reporter Features Understand the role of each element to plan, use, and maintain Content Security Reporter. Figure 1-1 Content Security Reporter element workflow Content Security Reporter is server based software that contains: 1 Database The central storage component for all log data used by Content Security Reporter. 2 Query Retrieves log data from the database, defines the type of data used to create a dashboard or report, and defines how the data is displayed. 3 Filter Applied to a query or dashboard to limit the data set to specific user names, websites, reputations, and so on. 4 Dashboard Displays information through a collection of monitors to give you a customized view of your organization's Internet, , and IPS alert data. 5 Report Combines queries, filters, and other elements into PDF documents providing detailed information for analysis. Features Several Content Security Reporter features are essential for reporting capabilities. These features include: epolicy Orchestrator integration Content Security Reporter extends the epolicy Orchestrator interface functionality to add new reporting capabilities while offering all standard epolicy Orchestrator features and functions. Role based access When Content Security Reporter is installed, only users with global administrator permissions can create reports, run reports, and manage the report server. An administrator can grant user access to reports and report server settings by specifying Content Security Reporter permissions for each epolicy Orchestrator permission set. Log sources Used to obtain report data from network devices. 8 McAfee Content Security Reporter Product Guide

9 Introduction to Content Security Reporter Features 1 Rule sets Tells Content Security Reporter to look for a specific string of data during log file processing to replace it with a different string. Databases Use the internal database or a supported external database, depending on your organization's data needs. Performance options Performance optimization options to ensure that Content Security Reporter runs efficiently. Dashboards Dashboards provide visibility into the network usage of your organization. Analytics Enable analytics on dashboards for additional filter and workflow options. Queries Default queries are installed with Content Security Reporter that can be run as is, or duplicated and customized to create other useful dashboards and reports. Content Security Reporter queries can be added to other epolicy Orchestrator dashboards and reports, not just those installed by Content Security Reporter. Reports Default reports are installed with Content Security Reporter that can be used as is, or duplicated and customized to fit your organization's needs. Maintenance Regular maintenance options that promote optimal report server and database performance. McAfee Content Security Reporter Product Guide 9

10 1 Introduction to Content Security Reporter Features 10 McAfee Content Security Reporter Product Guide

11 2 Installation Download and install Content Security Reporter to run with epolicy Orchestrator Contents Changes in epolicy Orchestrator System requirements Install Content Security Reporter Changes in epolicy Orchestrator Content Security Reporter works with McAfee epolicy Orchestrator software to provide reports from data collected by a filtering device placed on your organization's network. After Content Security Reporter is installed, all standard epolicy Orchestrator features and functions are available, as well as additional Content Security Reporter changes that occur on the epolicy Orchestrator interface. Table 2-1 Changes to epolicy Orchestrator Item Reporting extensions Report Server Location View and manage Content Security Reporter extensions. The report server provides epolicy Orchestrator with Content Security Reporter features. The report server and Content Security Reporter database server are added at the same time. McAfee recommends you do not change the default database server settings. Content Security Reporter permissions Report Server Settings menu item Queries Configure access and usage rights to Content Security Reporter features within each epolicy Orchestrator user permission set. Perform immediate or scheduled maintenance tasks, manage the server status, log sources, databases, and system utilities. A set of default Content Security Reporter queries are installed that can be used as is, or duplicated and customized to provide the data used in reports or dashboard monitors. Content Security Reporter queries can be added to other epolicy Orchestrator dashboards and reports, not just those installed by Content Security Reporter. Dashboards Analytics A set of default Content Security Reporter dashboards are installed that can be used as is, or duplicated and customized to provide detailed overviews of your network traffic. Enable analytics on dashboards for additional filter and workflow options. McAfee Content Security Reporter Product Guide 11

12 2 Installation System requirements Table 2-1 Changes to epolicy Orchestrator (continued) Item Reports Common Catalog menu item Location A set of default Content Security Reporter reports are installed that can be used as is, or duplicated and customized to create useful data about Internet and usage, IPS alerts, policy enforcement, productivity, and security threats in your organization. Create, duplicate, or customize catalogs to store lists of items such as network addresses and URLs. System requirements To install and operate Content Security Reporter, the system must meet the minimum requirements consistent with the requirements to run epolicy Orchestrator There are no license restrictions to install Content Security Reporter. Table 2-2 Microsoft Server operating requirements 32 bit Operating system Windows Server 2003 Windows Server 2008 Version SP2 Standard, Enterprise, or Datacenter SP2 Standard, Enterprise, or Datacenter Table 2-3 Microsoft Server operating requirements 64 bit Operating system Windows Server 2003 Windows Server 2008 Windows Server 2008 Windows Server 2008 Version SP2 Standard, Enterprise, or Datacenter SP2 Standard, Enterprise, or Datacenter R2 Standard, Enterprise, or Datacenter Small Business Premium Supported browsers Mozilla Firefox 3.5 Mozilla Firefox 3.6 Microsoft Internet Explorer 7.0 Microsoft Internet Explorer 8.0 Install Content Security Reporter Download, install, and register Content Security Reporter software in epolicy Orchestrator. The software can be installed on the same computer as epolicy Orchestrator, or on a separate computer that has the ability to communicate with epolicy Orchestrator. Additional configuration may be necessary to ensure that they can communicate through any firewall that is in place. epolicy Orchestrator must be installed and running correctly before you attempt to install Content Security Reporter. 12 McAfee Content Security Reporter Product Guide

13 Installation Install Content Security Reporter 2 Contents Download the product files Install the software Install the extension Register the report server Download the product files Download the Content Security Reporter installation files from the McAfee download site. 1 Start epolicy Orchestrator Go to the McAfee Products Download page. 3 Under Download My Products, enter your grant number and click Go. 4 Download these Content Security Reporter files: Installation executable file appropriate for your computer Extension.zip file for epolicy Orchestrator (epo) Install the software Install the Content Security Reporter software on the computer where you will configure it to run with epolicy Orchestrator. epolicy Orchestrator can be active during this installation. 1 Log on to the operating system as an administrator. 2 Run the installation executable file you downloaded. 3 Follow the on screen prompts to complete the installation. 4 When prompted, enter a passkey. McAfee recommends using a strong passkey: Minimum of eight character No spaces Case sensitive Mix of uppercase, lowercase, numeric, and special characters McAfee Content Security Reporter Product Guide 13

14 2 Installation Install Content Security Reporter Install the extension Install the Content Security Reporter extension.zip file so it is available in epolicy Orchestrator. 1 Select Menu Software Extensions. 2 Click Install Extension. 3 Browse to the extension.zip file, then click OK. A Reporting extension appears in the Extensions list, and a Report Server Settings menu option becomes available. Register the report server Register the report server with epolicy Orchestrator. 1 Select Menu Configuration Registered Servers. 2 Click New Server. 3 In the Registered Server Builder dialog box, set the server type as Report Server. 4 Enter a name for the server, or the IP address of the computer Content Security Reporter is installed, then click Next. 5 Enter the passkey you used during installation. 6 Click Test Settings. A Test login successful message appears. 7 Click Save. Report and database servers are added to the list of registered servers. 14 McAfee Content Security Reporter Product Guide

15 3 Report 3 server settings Report server settings allow the tuning of multiple settings to configure Content Security Reporter. Contents Log sources Databases View the server status Configure a log source Configure the database Configure performance options Log sources Content Security Reporter uses log sources to obtain the Internet and usage data, and IPS alert data that is used in reports. Content Security Reporter processes the information from log sources, then stores the data in an internal or external database. See also Configure a log source on page 19 Log source modes Use a log source mode to obtain log file data from a log source. The mode selected depends on the ability of your network device to send log data. When configuring a log source, select one of the available modes, or manually import a single log file. Accept incoming log files Use this method when network devices send log data to Content Security Reporter. Collect log files from Use this method when Content Security Reporter collects log files from network devices or log storage devices. The fields displayed on the Source tab differ depending on which option you choose. Approximately 1 GB of temporary space is needed on the Content Security Reporter server for every GB of log data collected and processed. Log formats Log formats determine how Content Security Reporter processes (also called parsing) data from log files, and how the data is stored in the database. Content Security Reporter recognizes the structure of auto discover and fixed field log formats. McAfee Content Security Reporter Product Guide 15

16 3 Report server settings Log sources User-defined columns Up to four user defined columns can be configured for each log source during log file processing, and can be used to substitute column data, or to obtain data from columns that are normally skipped. User defined columns are also used when repopulating database columns during database maintenance. User defined columns do the following: Include skipped log field data During log file processing, some log file fields are skipped. For example, log file processing skips the McAfee Web Gateway Referrer and Policy name fields. You can configure up to four user defined columns to pull the data from the skipped fields to include in reports. Assign a custom value to column data Substitute standard column data with a custom string value to make it easier to find and review in reports. For example, you want to assign test lab to all IP addresses beginning with 115 and assign other to any additional IP addresses. In the report, the user defined column displays either test lab or other in place of the numeric value of IP addresses. When you create a user defined column, Content Security Reporter treats this as an additional column and leaves the original column and original data in the log file. Using the previous example of substituting IP addresses, the original IP address column data remains unchanged and is still available for use in reports. When entering a value in the Log file header value box, do not use quotation marks. Processing and post-processing When configuring a log source, use the Processing and Post Processing tabs to determine how Content Security Reporter handles the data pulled from log files. Page views setting The Condense log records into page views setting on the Processing tab for a log source affects queries and disk space requirements for the reporting database. Each line of a log file is a separate HTTP request for a webpage element. Viewing one webpage can result in multiple records in the log file. The Condense log records into page views option consolidates multiple records from a log file into a single page view, or "hit", in reports. Condensing log records into page views generates a concise report view when using either summary or detailed queries. For example, condensing log records into page views could potentially reduce a 1 GB log file down to a 100 MB log file. By default, the Condense log records into page views option is enabled. If you disable this option, each webpage you visit, and element on the page, are logged as separate HTTP requests. For example, if you visit and that page contains multiple elements, then the log data looks like this: adserver.example.com/ad1.jpg adserver.example.com/ad2.jpg adserver.example.com/ad3.jpg 16 McAfee Content Security Reporter Product Guide

17 Report server settings Log sources 3 With Condense log records into page views enabled, your log data will show only one HTTP request as a page view Custom columns Custom columns substitute the data in the browser and cache columns in your log files with a word or phrase that better identifies the browser or cache value. Custom columns are pre defined rule sets for predefined columns. Instead of reports containing Mozilla/4.0 (compatible; MSIE 7.0 ), the reports contain Internet Explorer 7.0. However, the original data value is retained in your database. Each custom column uses a configured rule set to substitute technical data values from the browser or cache columns, and substitute with common identifiers to make the browser and cache data in your reports more recognizable. See also View custom columns on page 24 Custom rule sets Rule sets are customized instructions that tell Content Security Reporter to look for a specific string of data during log file processing and replace it with a different string. This resulting string appears in reports and is more recognizable to users. A test function is available to validate the result of a rule set. Rule sets make your custom columns and user defined columns work. Configure rule sets to find any string that appears in a log file and replace it with a different string defined by you. The string can be letters, numbers, and symbols. Custom column rule sets Custom columns are predefined for the browser and cache columns. Each custom column has a corresponding rule set. You can modify the rule sets, but you cannot add or delete rule sets for the custom columns. User defined column rule sets User defined columns are customized by you for any available log record or header. You create the rule sets for these columns, which can be edited, deleted, copied, and used by more than one user defined column at a time. See also Configure rule sets on page 24 Browse time You can specify the length of time for the browse time threshold. Content Security Reporter estimates a user's browse time by calculating the difference between the time stamps of two log lines. For example, if the log file shows that Jon Lock visits at 03:00:00 p.m. and news.example.com at 04:30:00 p.m., the browse time is the 1 hour 30 minutes that occurred between the time he visited and news.example.com. However, Jon Lock probably did not spend more than one hour viewing a single webpage. To compensate for this, Content Security Reporter overrides the estimated browse time with a default browse time. McAfee Content Security Reporter Product Guide 17

18 3 Report server settings Databases The browse time threshold option specifies the maximum length of time you expect a user to spend viewing a single webpage. The default is three minutes. When a user exceeds the browse time threshold, the default browse time is recorded in the database instead. See also Configure browse time options on page 24 Databases Content Security Reporter uses a database to store data from log files and is installed with an internal database, or you can use a supported external database. Set up a database that is appropriate for the size of your organization and the amount of data your organization generates. Contents When to use an internal database When to use an external database When to use an internal database During installation, Content Security Reporter is automatically configured to use the internal database (MySQL 5.0). McAfee recommends using this database only if you need to store up to 50 GB of data. The internal database installs on the same drive as Content Security Reporter. Log files and data from the internal database are not transferable to another database. Evaluate if using an internal database is necessary for your organization's needs. You must have enough free drive space to accumulate data in the internal database. McAfee recommends using an internal database for these situations: Small to medium size organizations Evaluating Content Security Reporter See also Connect to the internal database on page 25 When to use an external database Use an external database when there is more than 50 GB of data to store. Connect Content Security Reporter to one of these supported external database platforms to store report data: Microsoft SQL Server 2005 MySQL 5.0 Microsoft SQL Server 2008 MySQL 5.5 Microsoft SQL Server 2012 Evaluate if using an external database is necessary for your organization's needs. McAfee recommends using an external database for these situations: There is more than 50 GB of data to store In a medium to large size organization 18 McAfee Content Security Reporter Product Guide

19 Report server settings View the server status 3 Do not want to condense log records into page views Need to increase performance Need additional database management tools Refer to the product documentation for your external database for instructions about backing up the database. See also Connect to an external database on page 26 View the server status View the Server Status page for status information about the report server. For option definitions, click? in the interface. 1 Select Menu Configuration Report Server Settings. 2 Click Server Status. 3 Click Refresh. Configure a log source Configure log source options in Content Security Reporter to collect network usage and alert data for generating reports. For option definitions, click? in the interface. 1 Choose the log source mode and format. a Select Menu Configuration Report Server Settings. b c From the Setting Categories menu, select Log Sources. From the Actions menu, select New. The New Log Source window appears. d e Enter a name for the log source. Choose from these log sources to process log files: McAfee Content Security Reporter Product Guide 19

20 3 Report server settings Configure a log source Table 3-1 Accept incoming log files Option FTP / HTTP(S) Syslog Definition Enter this information to create a logon account to accept log files from the network device: Logon name Password Enter this information to create a logon account to accept log files from the network device: Client addresses of the connecting machine to the Content Security Reporter server Server port Protocol When McAfee Web Gateway (Webwasher) Auto Discover is selected, enter a log header For more information about sending log data using the FTP/HTTP(S) or Syslog options, consult the documentation for your network device. Table 3-2 Collect log files from Option McAfee Web Gateway 6.x (Webwasher) Definition Enter this information: Device address UI port Logon name Password Use the Test button to verify that the settings work correctly. McAfee Web Gateway 7.x Enter this information: Device address UI port Logon name Password Appliance name Log file base name Use the Test button to verify that the settings work correctly. 20 McAfee Content Security Reporter Product Guide

21 Report server settings Configure a log source 3 Table 3-2 Collect log files from (continued) Option McAfee SaaS Web Protection Service Definition Enter this information: Customer ID Logon name Password Use the Test button to verify that the settings work correctly. Your Customer ID is sent in the documentation received when you registered for McAfee SaaS Web Protection Service. In the Log Format field, McAfee SaaS Web Protection Service is selected by default. Ensure that access to the URL and port 443 is not blocked by your firewall or service between the Content Security Reporter server and the Internet. Content Security Reporter retrieves a maximum of 15 days worth of past data from McAfee SaaS Web Protection Service. FTP server Enter this information: FTP server address Port Logon name Password Directory Use the Test button to verify that the settings work correctly. Directory on report server McAfee Network Security Manager Select the directory. Use the Test button to verify that the settings work correctly. Enter this information: Device address Device port Logon name Password Use the Test button to verify that the settings work correctly. In the Log Format field, McAfee Network Security Platform is selected by default. f From the Log Format drop down list, select the log format that corresponds to your device. 2 Configure user defined columns. a Click the User Defined Columns tab. b c Select and configure up to four user defined columns. Select the Populate this column checkbox. McAfee Content Security Reporter Product Guide 21

22 3 Report server settings Configure a log source d From the Log record drop down list, select a source data type. If the log record is not found in the drop down list, use the Log file header field to define a header. When entering a value in the Log file header field, do not use quotation marks. e Select the Apply this rule set checkbox and select a previously created rule set from the drop down list. 3 Create a schedule for processing logs. The Schedule tab is only available when the Collect log files from mode is selected. a b Click the Schedule tab. Specify the frequency, dates, and times. 4 Configure processing and post processing options. a Click the Processing or Post Processing tabs. b Choose from the available options, then click OK. s Create a MySQL database user account on page 22 Content Security Reporter accesses the McAfee Network Security Manager database using a MySQL database user account. McAfee recommends that you create a MySQL database user that is specifically used for the purpose of communication between Content Security Reporter and McAfee Network Security Manager. View log processing jobs on page 23 View a list of current running log processing jobs. View log source statistics on page 23 View the cumulative and Syslog client statistics in Content Security Reporter. Manage log processing jobs on page 24 Manage the list of log processing jobs that are queued, running, or completed. View custom columns on page 24 View a list of built in columns. Configure rule sets on page 24 Configure rule sets, which are used in user defined columns during log file processing. Configure browse time options on page 24 Set the browse time threshold and default browse time for user browsing sessions. Import a single log file on page 25 Import log files from a directory on the client computer. Create a MySQL database user account Content Security Reporter accesses the McAfee Network Security Manager database using a MySQL database user account. McAfee recommends that you create a MySQL database user that is 22 McAfee Content Security Reporter Product Guide

23 Report server settings Configure a log source 3 specifically used for the purpose of communication between Content Security Reporter and McAfee Network Security Manager. 1 Log on to the McAfee Network Security Manager computer. 2 Locate the MySQL installation folder for McAfee Network Security Manager. For example, C:\Program Files (x86)\mcafee\network Security Manager\MySQL 3 Open a command prompt and type the command cd <MySQL installation folder>\bin, then press Enter. 4 Log on to MySQL: type the command mysql user=root mysql p, then press Enter. 5 Type your password. 6 Create the account and specify where the Content Security Reporter server is located. a Run the command CREATE USER 'User 1'@' ' IDENTIFIED BY 'mypassword'; b Press Enter 7 Grant privileges to the account for the specified database and tables. a Run the command GRANT SELECT ON <database name>.* TO 'User 1'@' '; b Press Enter The default <database name> is lf. For more information, see the MySQL 5.0 Reference Manual. View log processing jobs View a list of current running log processing jobs. For option definitions, click? in the interface. 1 Select Menu Configuration Report Server Settings. 2 From the Setting Categories menu, select Log Sources. 3 Click the Current Jobs tab. 4 To update the list of current running log processing jobs, click Refresh. View log source statistics View the cumulative and Syslog client statistics in Content Security Reporter. For option definitions, click? in the interface. 1 Select Menu Configuration Report Server Settings. 2 From the Setting Categories menu, select Log Sources. 3 Click the Statistics tab. McAfee Content Security Reporter Product Guide 23

24 3 Report server settings Configure a log source Manage log processing jobs Manage the list of log processing jobs that are queued, running, or completed. For option definitions, click? in the interface. 1 Select Menu Configuration Report Server Settings. 2 From the Setting Categories menu, select Log Sources Job Queue. 3 From the Actions menu, select a task you want to perform. View custom columns View a list of built in columns. For option definitions, click? in the interface. 1 Select Menu Configuration Report Server Settings. 2 From the Setting Categories menu, select Log Sources Custom Columns. The list of custom columns appears. Configure rule sets Configure rule sets, which are used in user defined columns during log file processing. For option definitions, click? in the interface. 1 Select Menu Configuration Report Server Settings. 2 From the Setting Categories menu, select Log Sources Custom Rule Sets. 3 From the Actions menu, select New. 4 Enter a name and description, then configure the remaining rule set options. 5 Click OK. Configure browse time options Set the browse time threshold and default browse time for user browsing sessions. For option definitions, click? in the interface. 1 Select Menu Configuration Report Server Settings. 2 From the Setting Categories menu, select Log Sources Browse Time, then click Edit. 3 Choose the threshold and default time for browse time sessions, then click Save. 24 McAfee Content Security Reporter Product Guide

25 Report server settings Configure the database 3 Import a single log file Import log files from a directory on the client computer. When using the Import Log option, the log file format must be the same as the log source to avoid errors. For option definitions, click? in the interface. 1 Select Menu Configuration Report Server Settings. 2 From the Setting Categories menu, select Log Sources. 3 Select a log source. 4 From the Actions menu, select Import Log. A window opens that displays a local directory of the client. 5 Browse to the log file you want to import. 6 Click Open. A message confirms that the selected log file is imported. 7 Click OK. Content Security Reporter processes the log file and the processing status appears on the Current Jobs tab. Configure the database Use the already configured internal database, or configure a supported external database. Contents Connect to the internal database Backup and restore the internal database Connect to an external database Execute SQL Connect to the internal database Connect to the internal database that is installed with Content Security Reporter. For option definitions, click? in the interface. 1 Select Menu Configuration Reporter Server Settings. 2 From the Setting Categories menu, select Database. 3 In the Configuration section, select Default internal database. McAfee Content Security Reporter Product Guide 25

26 3 Report server settings Configure the database Backup and restore the internal database Back up the internal database to safeguard your data against hardware failures or other issues. Reinstate data from the backup using the restore feature. Before you begin McAfee recommends using the MySQL GUI Tools, which includes MySQL Administrator, to back up or restore the Content Security Reporter internal database. The MySQL GUI Tools is available as a free download from the MySQL Downloads page and must be installed on the same computer as Content Security Reporter. You will need the following information when using this tool: Server Hostname Password dba Port 9129 Database name reporting Username dba 1 Log off Content Security Reporter. 2 Shut down the Content Security Reporter Internal Database service. 3 Perform the backup or restore procedure using instructions in the MySQL Administrator documentation. 4 Restart the Content Security Reporter Internal Database service. 5 Log on to Content Security Reporter. The backup and restore operation is complete and the internal database is functional. Connect to an external database Connect Content Security Reporter to a supported external database, based on the needs of your organization. Before you begin You will need to provide the database address, port, logon information, and name. Any user on the Microsoft SQL Server database must have db_owner privileges. Install Content Security Reporter and the external database on the same computer, or on separate computers. If Content Security Reporter is installed on the same computer as the external database, there must be enough disk space to accumulate data according to your organization's needs. For option definitions, click? in the interface. 1 Select Menu Configuration Reporter Server Settings. 2 From the Setting Categories menu, click Database. 3 From the Actions menu, select Edit. 4 From the This external database drop down list, select a database type. 26 McAfee Content Security Reporter Product Guide

27 Report server settings Configure performance options 3 5 Click Test to verify the settings are correct. 6 Click Save. The connected database is listed as the Database Server in the registered servers list Menu Configuration Registered Servers. McAfee recommends that you do not edit the database settings on the Registered Servers page. Execute SQL When working with technical support, Execute SQL opens a window that enables a reporting administrator to execute SQL statements while troubleshooting. For option definitions, click? in the interface. 1 Select Menu Configuration Report Server Settings. 2 From the Settings Categories menu, select Database. 3 Click Edit. 4 Click Execute SQL. 5 In the Input field, enter an SQL statement, then click Run. 6 To exit the dialog, click OK. Configure performance options Configure the performance options to ensure that Content Security Reporter runs efficiently. Contents Edit memory allocation Configure concurrent jobs Manage the log processing cache Manage the log processing summary cache Edit memory allocation Dedicate the amount of memory that will be available to the report server. For option definitions, click? in the interface. 1 Select Menu Configuration Report Server Settings. 2 From the Setting Categories menu, select Performance Options. 3 In the Memory section, click Edit. McAfee Content Security Reporter Product Guide 27

28 3 Report server settings Configure performance options 4 Enter the amount of memory to reserve for Content Security Reporter, and select gigabytes or megabytes. Minimum memory value 1024 MB Maximum 32 bit memory value 1536 MB 5 Click OK. If the memory value entered is too large, Content Security Reporter will not restart. Configure concurrent jobs Choose how many log processing jobs can concurrently run. For option definitions, click? in the interface. 1 Select Menu Configuration Report Server Settings. 2 From the Setting Categories menu, select Performance Options. 3 In the Concurrent jobs section, click Edit. 4 Select the maximum amount of concurrent log processing jobs, then click OK. Manage the log processing cache View and manage the settings in the log processing cache. For option definitions, click? in the interface. 1 Select Menu Configuration Report Server Settings. 2 From the Setting Categories menu, select Performance Options Cache. 3 From the Actions menu, select a task you want to perform. Manage the log processing summary cache View and manage the settings in the log processing summary cache. For option definitions, click? in the interface. 1 Select Menu Configuration Report Server Settings. 2 From the Setting Categories menu, select Performance Options Summary Cache. 3 From the Actions menu, select a task you want to perform. 28 McAfee Content Security Reporter Product Guide

29 4 Reporting Use dashboards to monitor Internet and usage, and IPS alert data in your organization, and report your findings using preconfigured or customized queries and reports. Contents Monitoring with dashboards Querying the database Reports Configure a dashboard Configure a query Running reports Schedule queries and reports Monitoring with dashboards Dashboards provide the ability to constantly monitor Internet and usage, and IPS alert data in your organization. The following options are available to you for your dashboards needs: Dashboard Visibility By selecting one of these options, you can control which users in your organization are able to view specific dashboards. Advanced Analytics By enabling advanced analytics on a dashboard, additional filter and pivot actions become available to further customize and analyze dashboard data. Default dashboards Content Security Reporter comes with a set of default dashboards that you can run as they are, or duplicate and customize to suit your needs. Default dashboards are available from the Dashboards tab and contain data obtained from Content Security Reporter default or customized queries. Dashboards display information such as: Hybrid activity Productivity Internet activity Security overview Policy enforcement McAfee Content Security Reporter Product Guide 29

30 4 Reporting Querying the database Custom dashboards Create a dashboard, or duplicate and customize an existing dashboard for a specific and focused view of your organization's data. For additional custom options, enable advanced analytics from the New Dashboard and Edit Dashboard windows. Enabling analytics provides you the following additional options: Filtering Add additional filters to focus in on which data you want to display on a dashboard and within a specified time range. Pivot For specific log record information, navigate from a configured monitor on the dashboard layout to another dashboard focused around the same log record information. Table and chart legends Select data within a chart or table legend to view or remove data. Monitors Dashboards are collections of monitors. You can tailor dashboard information by adding monitors that provide specific Internet and usage, and IPS alert information. A monitor displays data from default or custom queries in the form of charts and tables. Each monitor is configured independently in order to display multiple combinations of your organization's data. Querying the database Content Security Reporter allows you to create and run queries and reports that provide Internet and usage, and IPS alert data in the form of charts and tables. The data for these queries and reports is pulled from log data, and is stored in the registered internal or external database. Use any of the default queries and reports, or duplicate and modify existing queries and reports to create your own for a customized view of your organization's data. Queries Run a query independently, or combine queries within a report to view specific Internet and usage, and IPS alert data within your organization. Query results can be run on demand or on a regular schedule, and produce PDF output for viewing outside of Content Security Reporter. Content Security Reporter includes default queries that you can run as is, or create a customized query for your specific reporting needs. Query Builder Content Security Reporter provides a four step wizard to create queries or to duplicate and customize default queries. Use the wizard to configure which data is retrieved and how it is displayed. Custom query result types Select a schema and result type to identify where and what type of data the query retrieves. Each type has its own set of data options (also called columns) to select from. The query type determines the amount of detail available for generating reports. The following query types are available to you: Detailed delivery Data based on the delivery status of sent s. Detailed detection Information regarding viruses detected in sent and received s. summary High level usage information. 30 McAfee Content Security Reporter Product Guide

31 Reporting Reports 4 Detailed web access Represents web traffic details such as full request URLs and exact date and time of each request. Web summary Generation of hourly data for reports such as hits per user, categories per week, bytes per log source, and more. IPS Alerts Detailed information about alerts generated from IPS devices. It is quicker to generate reports and queries that are based on summary data than detail data. Custom query-level filters Specify criteria by selecting properties and operators to limit the data retrieved by the query. Query level filters filter data only for the query in which they are applied. For example, you already have a query that shows the top sites visited within your organization. In order to show only the top sites visited by user jsmith, you would select the Username column and type jsmith in the Value column property field. The results of the query will generate the top corresponding sites to the user jsmith. Use column properties to filter data only when report level filters cannot be used. When you want more filtering capabilities and control over data in all queries such as hourly, weekly, or monthly versions of the same queries use report level filters. Custom query charts and columns Content Security Reporter provides a number of layout options to display the data it retrieves. Choose from a variety of layout options to best display your data. Reports Content Security Reporter includes highly customizable, flexible, and easy to use reporting capabilities. Reports are customizable documents that display data from one or more Content Security Reporter elements in a single PDF document for focused and offline analysis. Use the Report Builder to create and run reports that display charts and tables with user configured data. The most recently run report is stored within Content Security Reporter and readily available for viewing. Reporting is available with any of these subscriptions: McAfee Web Gateway McAfee SiteAdvisor Enterprise software McAfee SmartFilter software McAfee SaaS Web Protection Service Default reports Content Security Reporter installs several default reports made of Content Security Reporter queries and filters. Default reports are available from Content Security Reporter Shared Groups. Default reports produce data from Content Security Reporter summary and detailed queries, for example: McAfee Content Security Reporter Product Guide 31

32 4 Reporting Configure a dashboard Your users' Internet activity The most blocked websites, malware, and applications The most used websites and applications Potential security threats to your organization Custom reports Create a new custom report, or duplicate and customize a default report to suit your needs. The following display and setting options are available to you to customize your reports: Query Information found within a report is based on the data generated within queries. Display options Using these options, you can modify how the data is displayed within a report. Runtime parameters Using these options, you can modify what data appears in a report. Configure a dashboard Create a dashboard that allows you to see your organization's data and how you want to see it. Create a dashboard Set up customized dashboards to view your organization's Internet and usage, and IPS alert data. For option definitions, click? in the interface. 1 Add a new dashboard to Content Security Reporter. a b c On the menu bar, click Dashboards. In Dashboard Actions, click New, and type a name for the dashboard that allows you to easily identify it. In Dashboard Visibility, select who can view this dashboard. 2 Enable additional filtering capabilities. a b c In Analytics, select Enabled. From the drop down list, select a filter. Click OK. See also Custom dashboards on page 30 Add monitors to dashboards Add monitors to a dashboard for a customizable view of your organization's data. Before you begin You must have write permissions for the dashboard you are modifying. Every monitor type supports different configuration options. For example, a query monitor allows the query, database, and refresh interval to be changed. 32 McAfee Content Security Reporter Product Guide

33 Reporting Configure a dashboard 4 1 Select Menu Reporting Dashboards and select a dashboard. 2 Click Add Monitor. The Monitor Gallery appears at the top of the screen 3 From the View drop down list, select a query. The available monitors in that category appear in the gallery. 4 Drag the monitor onto the dashboard. As you move the cursor around the dashboard, the nearest available drop location is highlighted. Drop the monitor into your desired location. The New Monitor dialog appears. 5 Configure the monitor as needed (each monitor has its own set of configuration options), then click OK. 6 After you have added monitors to this dashboard, click Save Changes to save the newly configured dashboard. 7 When you have completed your changes, click Close. s View additional details on page 33 View additional data details in monitors using the drill down links. Filter dashboard data on page 34 Use filters to further customize the data in dashboard tables and charts. Pivot options on page 34 Use pivot options to add a new dashboard or view specific data. Add data items to Common Catalog on page 35 Use Common Catalog as a central data repository for IP addresses, sites, and user names. View Global Threat Intelligence information on page 36 View McAfee Global Threat Intelligence information to assess threats from malware, sites, URLs, and IP addresses. View a site on page 36 When viewing a dashboard, drill down to view a website. See also Monitors on page 30 View additional details View additional data details in monitors using the drill down links. Before you begin Additional details are only available from configured monitors. 1 Select Menu Reporting Dashboards. 2 From the Dashboard drop down list, select a dashboard. McAfee Content Security Reporter Product Guide 33

34 4 Reporting Configure a dashboard 3 Click a data type within a table or chart. A list of data items appear, which are generated from the selected data type. 4 Click a line of data. The Details page appears. Filter dashboard data Use filters to further customize the data in dashboard tables and charts. Before you begin Filter options are only available when analytics is enabled on a dashboard. 1 Select Menu Reporting Dashboards. 2 Choose from these options: Filter data by adding your own filter. a b c Click Add Filter. Select a Filter Type and enter a Filter Value. Click OK. In the Filter Value field, you can enter the filter pattern using these wildcard values: Asterisks (*) are used to match one or more characters. For example, *a* matches all filter type results containing a. Question marks (?) are used to match one character. For example,?jones matches all filter type results beginning with any one character and ending with jones. You can use multiple? in your filter value. Filter data from a monitor table or chart legend. a b Click the down arrow next to a data item. From the drop down list, select Add Filter. Filter data by date range. a b c Enter a number value in the Show last field. Select a frequency. Click Go. The applied filter will appear in the Add Filter area of the dashboard. Pivot options Use pivot options to add a new dashboard or view specific data. Before you begin Pivot options are only available when analytics is enabled on a dashboard. 34 McAfee Content Security Reporter Product Guide

35 Reporting Configure a dashboard 4 1 Select Menu Reporting Dashboards. 2 Choose from these options: Pivot from the data in a monitor table or chart legend. a b Click the down arrow next to a data item. From the drop down list, select Pivot to. Pivot from the Details page. a b c d Click table or chart data within a monitor. Click on an item from the data table. Click on a highlighted data item. From the drop down list, select Pivot to. Add data items to Common Catalog Use Common Catalog as a central data repository for IP addresses, sites, and user names. Before you begin Select Menu Common Catalog to create a catalog list. Common Catalog does not support IPv6 addresses. 1 Select Menu Reporting Dashboards. 2 Choose from these options: Add data items to Common Catalog from a monitor table or chart legend. a b Click the down arrow next to a data item. From the drop down list, choose from these options: Add to List Deposits the data item into a Common Catalog list. Remove from List Removes the data item from a Common Catalog list. To select multiple lists, press Ctrl or Shift and select the lists intended for the data item. Add data items to Common Catalog from the Details page. a b c d Click table or chart data within a monitor. Click on an item from the detail table. Select a highlighted data item. From the drop down list, choose from these options: Add to List Deposits the data item into a Common Catalog list. Remove from List Removes the data item from a Common Catalog list. To select multiple lists, press Ctrl or Shift and select the lists intended for the data item. McAfee Content Security Reporter Product Guide 35

36 4 Reporting Configure a query View Global Threat Intelligence information View McAfee Global Threat Intelligence information to assess threats from malware, sites, URLs, and IP addresses. 1 Select Menu Reporting Dashboards. 2 Choose from these options: View Global Threat Intelligence information from a monitor table or chart legend. a b Click the down arrow next to a data item. From the drop down list, select View GTI info. View Global Threat Intelligence information from the Details page. a b c d Click table or chart data within a monitor. Click on an item from the detail table. Select a highlighted data item. From the drop down list, select View GTI info. View a site When viewing a dashboard, drill down to view a website. Before you begin View site options are only available when analytics is enabled on a dashboard. 1 Select Menu Reporting Dashboards. 2 Choose from these options: View a site from a monitor table or chart legend. a b Click the down arrow next to a URL. Select View site from the drop down list. View a site from the Details page. a b c d Click table or chart data within a monitor. Click an item from the detail table. Click the highlighted URL. From the down down list, select View site. A browser window appears displaying the selected website. Configure a query Before generating a report, configure the queries to use in your reports. View Top Users by Browse Time example: 36 McAfee Content Security Reporter Product Guide

37 Reporting Configure a query 4 When configuring a query, consider the following user scenario for viewing the top users in your organization by overall browse time. Assume the users in your organization have access to the Internet, and you would like to block specific users from the sites they visit most often. Use the View Top Users by Browse Time query to compare which users in your organization use the most browse time. After you have identified which users in your organization use the most browse time, Content Security Reporter allows you to block these users from accessing their most visited websites. In this scenario, you are able to: Define which users in your organization use the most browse time. Compare the users in your organization that use the most browse time. Assess which website these top users visit most often. Block the websites that the top users visit most often. 1 Select a query type. a Select Queries & Reports Actions and click New, or select an existing query from the list and click Edit. The Query Builder opens with the Result Types view active. b c d From the Database Type drop down list, select Content Security Reporter. Select the query options you want from the available lists. Click Next to move to the Chart page. 2 Select a query layout. a From the Display Results As list, select a graph or table for the query layout. Select a layout for your query that will best display your data. b c Select the display options you want from the available lists. Click Next to move to the Columns page. When entering the maximum value for the display, it is recommended to use a lower value. For example, instead of using 200 as the maximum value, enter 10 in the value box. 3 Select query columns. a From the Available Columns list, select which columns to apply to your query. b c In Selected Columns, select, drag, and position each column. Click Next to move to the Filter page. If you selected a Table result type on the Chart page, the columns you select here are the columns of that table. Otherwise, these are the columns that make up the query details table. 4 From the Available Properties list, select which properties to use for filtering your query and the appropriate values for each. McAfee Content Security Reporter Product Guide 37

38 4 Reporting Running reports 5 Click Run to check that you get the type of results you expect. If the query did not appear to return the expected results, click Edit Query to go back to the Query Builder and edit the details of the query. If you do not need to save the query, click Close. Before generating a report, you must first configure the queries to use in your reports. 6 Save the query. a Click Save to view the Save Query page. b c Type a name for the query, add any notes, and select a group. Click Save. See also Query Builder on page 30 Running reports Generate a report using default or customized queries. For example, create a report that shows the top blocked malware in your organization using data available from your configured queries. Before you begin By default, you must have administrator rights to be able to view, modify, and run existing reports as well as add new reports. To give other users the ability to create and run reports, select Menu User Management Permission Sets and edit the Content Security Reporter permission for each user type. If the report includes runtime parameters, you can specify those parameters when running the report. 1 Select a query. a Select Queries & Reports Actions Report and click New, or select an existing report from the list and click Edit. The Report Builder opens with the Report Layout view active. b From the toolbox, drag a query chart to the report layout configuration area. The Configure Query Chart dialog box opens. c d Select the available query options. Click OK. 2 Customize the report. a In the Name, Description and Group tab, type a name, description, and which group to use. Use the Header and Footer and Page Setup tabs to specify how you want the query to appear in the report. b Use the Runtime Parameters tab to select report level filters. 38 McAfee Content Security Reporter Product Guide

39 Reporting Schedule queries and reports 4 3 Click Run to generate the report. At this point, you can choose to run the report to get the information immediately, save to use it another time, configure its appearance further by adding additional content. See also Custom reports on page 32 Schedule queries and reports Create a schedule to regularly run queries and reports. 1 Select Menu Automation Server s. 2 From the Actions menu, select New to open the Server Builder on the Description page. 3 Type a name for the task, and use the Notes area to add any additional information such as the expected results. Select whether you want the task enabled or disabled, and click Next to move to the Actions page. 4 From the Actions drop down list, select Run Query or Run Report. 5 Select the query or report, its language, and whether you want to export the contents to a file, or send it to someone else, or run another command. If you are exporting to a file, you must specify a destination directory before you can continue. 6 Click Next to move to the Schedule page. 7 Use the options to specify when you want the query or report to run, and for how long. 8 Configure any report level filters. 9 Click Next to view a summary of the query or report settings. 10 Click Save. The query or report is available to view, run, or edit from the Server s list. See also Query Builder on page 30 Custom reports on page 32 McAfee Content Security Reporter Product Guide 39

40 4 Reporting Schedule queries and reports 40 McAfee Content Security Reporter Product Guide

41 5 Content 5 Security Reporter maintenance Content Security Reporter requires regular maintenance to promote optimal performance and to protect your data. Database maintenance options allow you to perform tasks that optimize database performance and free database space. Over time, records are added to the database and more space is used. To free space in the database, you can delete older records you no longer need. System maintenance options allow you to configure tasks that remove system status information and server logs to reduce disk space usage. McAfee recommends that you perform database maintenance tasks during off peak times. During maintenance, the database and new queries and reports are not available. Make sure you read the instructions for each maintenance task before starting the maintenance job in Content Security Reporter. Contents Maintain the database Maintain the system Collect system information for troubleshooting Upgrade Uninstall Content Security Reporter System backup Maintain the database Schedule database maintenance tasks to run at a regular frequency and start time, or perform the tasks manually for immediate results. Contents Configure automated database maintenance jobs Run manual database maintenance jobs Manage database maintenance jobs Configure automated database maintenance jobs Configure the settings for when Content Security Reporter performs database maintenance jobs. For option definitions, click? in the interface. 1 Select Menu Configuration Report Server Settings. 2 From the Setting Categories menu, select Database Maintenance. McAfee Content Security Reporter Product Guide 41

42 5 Content Security Reporter maintenance Maintain the database 3 Click Edit, and configure these options: Schedule database maintenance Create a schedule for when to run database maintenance jobs. Delete database records Create database space by deleting database records. Index maintenance Configure the frequency for when Content Security Reporter rebuilds indexes. Maintenance options Specify the maximum number of records that are deleted at any one time. 4 Click Save. Run manual database maintenance jobs Manually run database maintenance jobs for immediate results. Contents Delete database records by date range Delete database records by log source Repopulate columns Rebuild indexes Run database statistics Delete database records by date range Manually delete all database records within a specific date range. Perform maintenance during off peak times. Reports, queries, and dashboards are not available during maintenance. For option definitions, click? in the interface. 1 Select Menu Configuration Report Server Settings. 2 From the Setting Categories menu, select Database Maintenance Manual Maintenance. 3 From the Manual database maintenance by date range section, select one of these options: Delete summary and detailed records Delete summary records Delete detailed records 4 Select the date range, then click Start. 5 When the Confirm Maintenance message appears, click Yes. 6 When the Maintenance Job Status message appears, click OK. The database maintenance process is immediately queued. Delete database records by log source Delete database records for a specific log source when the data is no longer needed. Perform maintenance during off peak times. Reports, queries, and dashboards are not available during maintenance. 42 McAfee Content Security Reporter Product Guide

43 Content Security Reporter maintenance Maintain the database 5 For option definitions, click? in the interface. 1 Select Menu Configuration Report Server Settings. 2 From the Setting Categories menu, select Database Maintenance Manual Maintenance. 3 From the Manual database maintenance by log source section, select a log source from the drop down list. 4 Click Start. 5 When the Confirm Maintenance message appears, click Yes. 6 When the Maintenance Job Status message appears, click OK. The database maintenance process is immediately queued. Repopulate columns Repopulate custom and user defined columns to apply settings to existing database records. Perform maintenance during off peak times. Reports, queries, and dashboards are not available during maintenance. Substituting Specific IP Addresses example: Assume you have created a user defined column to substitute specific IP addresses with the custom string value test lab and now you have existing database records you want to apply to your created user defined column. Use the Repopulate Columns dialog box to repopulate the user defined columns. By repopulating the columns, the specified IP addresses in existing database records now appear with the custom string value test lab. In this scenario, you are able to: Identify which specific IP addresses to substitute. Apply the custom string value test lab to existing database records. Update database records by repopulating columns. For option definitions, click? in the interface. 1 Select Menu Configuration Report Server Settings. 2 From the Setting Categories menu, select Database Maintenance Manual Maintenance. 3 From the Custom and user defined columns section, click Repopulate Columns. 4 Configure the options for Custom columns and User defined columns, then click OK. 5 When the Confirm Maintenance message appears, click Yes. 6 When the Maintenance Job Status message appears, click OK. The re populate columns process is immediately queued. McAfee Content Security Reporter Product Guide 43

44 5 Content Security Reporter maintenance Maintain the database Rebuild indexes Perform manual index rebuilding when you want to rebuild the indexes immediately. Perform maintenance during off peak times. During maintenance, the database and new queries and reports are not available. For option definitions, click? in the interface. 1 Select Menu Configuration Report Server Settings. 2 From the Setting Categories menu, select Database Maintenance Manual Maintenance. 3 From the Index Maintenance section, click Rebuild Indexes. 4 When the Confirm Maintenance message appears, click Yes. 5 When the Maintenance Job Status message appears, click OK. The database maintenance process is queued immediately. Run database statistics View database statistics without performing maintenance. For option definitions, click? in the interface. 1 Select Menu Configuration Report Server Settings. 2 From the Setting Categories menu, select Database Maintenance Manual Maintenance. 3 Click Run Statistics. 4 When the Confirm Maintenance message appears, click Yes. 5 When the Maintenance Job Status message appears, click OK. The database statistics process is immediately queued. Manage database maintenance jobs View and manage completed database maintenance jobs. For option definitions, click? in the interface. 1 Select Menu Configuration Report Server Settings. 2 From the Setting Categories menu, select Database Maintenance Status. 3 From the Actions menu, choose from these options: Cancel Stop Content Security Reporter from processing the selected database maintenance jobs. Delete Remove the selected database maintenance jobs from the Status list. Delete All Completed Jobs Remove all completed database maintenance jobs from the Status list. Refresh Update the Status list with current running database maintenance jobs. 44 McAfee Content Security Reporter Product Guide

45 Content Security Reporter maintenance Maintain the system 5 Maintain the system Schedule system maintenance tasks to run at a regular frequency and start time, or perform the tasks manually for immediate results. Contents Configure automated system maintenance jobs Run manual system maintenance jobs Manage system maintenance jobs Configure automated system maintenance jobs Configure the settings for when Content Security Reporter performs system maintenance jobs. The report server is unavailable during scheduled system maintenance. For option definitions, click? in the interface. 1 Select Menu Configuration Report Server Settings. 2 From the Setting Categories menu, select System Maintenance. 3 Click Edit, and configure these options: Schedule system maintenance Set a time for when Content Security Reporter performs daily system maintenance. Delete system status Configure the age of system status information and server logs to delete during daily system maintenance. 4 Click Save. Run manual system maintenance jobs Manually run system maintenance jobs for immediate results. For option definitions, click? in the interface. 1 Select Menu Configuration Report Server Settings. 2 From the Setting Categories menu, select System Maintenance Manual Maintenance. 3 To delete system status, select a time range, then click Delete Now. 4 When the Maintenance Job Status message appears, click OK. The database maintenance process is immediately queued. Manage system maintenance jobs View and manage all system maintenance jobs. For option definitions, click? in the interface. 1 Menu Configuration Report Server Settings 2 From the Setting Categories menu, select System Maintenance Status. McAfee Content Security Reporter Product Guide 45

46 5 Content Security Reporter maintenance Collect system information for troubleshooting 3 From the Preset drop down list, select which system maintenance jobs to view. 4 From the Actions menu, choose from these options: Delete Remove the selected system maintenance jobs from the Status list. Delete All Completed Jobs Remove all completed system maintenance jobs from the Status list. Refresh Update the Status list with current running system maintenance jobs. Collect system information for troubleshooting Should you require assistance with Content Security Reporter, generate a feedback file that contains system information that can be sent to McAfee Technical Support for troubleshooting purposes. For option definitions, click? in the interface. 1 Select Menu Configuration Report Server Settings. 2 From the Setting Categories menu, select Support. 3 Click Start. 4 When the Support message appears, click OK to continue. A status message is generated when the file has been created. The feedback files are stored in the report server installation directory. Upgrade Upgrade to the latest version of the software. Contents Back up the current configuration Upgrade the software Update the database schema Back up the current configuration Back up system settings so you can restore configuration settings after upgrading the software, or move settings from one Content Security Reporter installation to another. 46 McAfee Content Security Reporter Product Guide

47 Content Security Reporter maintenance Upgrade 5 For option definitions, click? in the interface. 1 Select Menu Configuration Reporter Server Settings System Backup. 2 From the Actions menu, click Backup Now. A message appears stating the client will not be able to communicate with the server until the system backup is done. 3 Click OK. The backup process can take several minutes. A backup folder is created where is the time stamp. By default this folder is created in C:\Program Files\McAfee\Content Security Reporter\reporter\conf\. A backup.xml file is saved in the backup folder. To create a backup file, wait until the file is created, then continue working without restoring it. If you plan to use a backup file after uninstalling and re installing Content Security Reporter, save the backup file to a location other than the Content Security Reporter installation directory. Upgrade the software Upgrade Content Security Reporter to the latest version. 1 Download the product files. a Start epolicy Orchestrator b c d Go to the McAfee Product Downloads page. Under Download My Products, enter your grant number and click Go. Download the Content Security Reporter installation executable and extension.zip files. 2 Upgrade the Content Security Reporter server. epolicy Orchestrator can be active during this installation. a b c Log on to the operating system as an administrator. Run the installation executable file you downloaded. Follow the on screen prompts to complete the installation. 3 Upgrade the extension. a In epolicy Orchestrator, select Menu Software Extensions. b c Click Install Extension. Browse to CSR_20_with_Help.zip, then click OK. A message appears with the extensions installed or upgraded as part of the Content Security Reporter extension pack. McAfee Content Security Reporter Product Guide 47

48 5 Content Security Reporter maintenance Uninstall Content Security Reporter Update the database schema Update the database schema after upgrading the software. The database schema is the definition of tables and fields used in the Content Security Reporter database. When Content Security Reporter detects that the database schema is out of date (such as after an upgrade), the database status is set to Offline. Schema is out of date. and an Update Schema button is provided. Depending on the size of your database, updating the database schema might take some time. 1 Select Menu Configuration Report Server Settings Database. 2 Click Update Schema. The database status appears as Connected. Uninstall Content Security Reporter Use epolicy Orchestrator to uninstall the Content Security Reporter extensions. Use the Microsoft Windows Control Panel to remove the report server software. To remove Content Security Reporter, you must have administrator access rights. Remove the report server Remove the Content Security Reporter report server from epolicy Orchestrator. 1 Select Menu Configuration Registered Servers. 2 Click Report Server, and select your configured server. 3 From the Action drop down list, and select Delete. The configured report server is removed from the Registered Servers list. Remove the extensions Uninstall the Content Security Reporter extensions from epolicy Orchestrator. The Catalog Framework and Core catalog extensions are installed with Content Security Reporter, but may be in use by other products. You can choose to remove these extensions from McAfee Common Catalog. 1 Select Menu Software Extensions McAfee. 2 Select Help Content, then remove these extensions: mcc_help csr_help 3 Select Reporting, then remove the McAfee Content Security Reporter extension. 48 McAfee Content Security Reporter Product Guide

49 Content Security Reporter maintenance System backup 5 4 Select Shared Components, then remove these extensions: Analytics Common Catalog Plugin Remove the software Uninstall the Content Security Reporter report server software. Before you begin To remove Content Security Reporter, you must have administrator access rights. 1 In the Microsoft Windows Control Panel, select Programs and Features. You do not need to log off epolicy Orchestrator to remove the Content Security Reporter software. 2 Select McAfee Content Security Reporter, and click Remove. System backup When a backup configuration file is created, Content Security Reporter automatically saves the report server settings, which can be used to restore Content Security Reporter to an earlier configuration. The backup configuration file does not create a backup of any reports, queries, or epolicy Orchestrator settings. The saved configuration settings include: Settings Database connection settings Description Saves the configuration settings that allows McAfee Content Security Reporter to communicate with the database. Database maintenance settings Saves scheduled database maintenance job settings and status messages. General settings Performance settings System status message Saves log source configuration and browse time settings. Saves database and system performance settings. Saves log parsing job history and database maintenance settings. Back up configuration settings Create a backup file to restore configuration settings after upgrading the Content Security Reporter software, recover from a system failure, or move settings from one installation to another. If you plan to use a backup file after uninstalling and re installing Content Security Reporter, save the backup file to a location other than the Content Security Reporter installation directory. McAfee Content Security Reporter Product Guide 49

50 5 Content Security Reporter maintenance System backup For option definitions, click? in the interface. 1 Select Menu Configuration Report Server Settings. 2 From the Setting Categories menu, select System Backup. 3 From the Actions menu, select Backup Now. When the System Backup message appears, click OK. The backup process can take several minutes. A backup folder is created where is the time stamp. By default, the folder is created in C:\Program Files\McAfee\Content Security Reporter\reporter\conf\. A backup.xml file is saved in the backup folder. To simply create a backup file, you can wait until the file is created, then continue working without restoring it. Restore configuration settings Restore the configuration settings to return to a previous state, or after the software is re installed. The backup folder and backup file must have read and write permissions for the same account running Content Security Reporter. 1 Close epolicy Orchestrator. If you need to re install the previous version of Content Security Reporter that you were running, use the Microsoft Windows Programs and Features to remove Content Security Reporter, and then re install the previous version of Content Security Reporter. 2 Stop Content Security Reporter services. 3 Go to your backup folder (by default, C:\Program Files\McAfee\Content Security Reporter\reporter \conf\) to locate the backup file that was created. If a backup folder already exists, do not create a new one. Backup files generated by Content Security Reporter cannot be imported into Copy the backup file from the backup folder to the backup folder in the conf directory. If you re installed Content Security Reporter, copy these files and directories you backed up to the corresponding locations in the C:\Program Files\McAfee\Content Security Reporter\reporter\ directory:.../conf/.../mysql/var/reporting/.../docs/ 5 Restart Content Security Reporter. 6 Log on to epolicy Orchestrator. 50 McAfee Content Security Reporter Product Guide

51 A Auto-discover log formats Content Security Reporter supports some auto discover log formats. However, some modifications to the log file headers may be necessary to correctly parse the data. The following tables provide necessary header modifications for the available auto discover log formats: Blue Coat McAfee Web Gateway This table provides information on Blue Coat log file headers used in Content Security Reporter and the necessary modifications to correctly parse the data. Some cells remain intentionally empty. Table A-1 Blue Coat header formats Format in extended log file Custom Content policy language Description c ip %a IP address of the client. cs bytes cs categories cs categories bluecoat cs categories external cs categories local cs categories policy cs categories provider cs categories qualified cs category Number of bytes sent from client to appliance. All content categories of the request URL. All content categories of the request URL that are defined by Blue Coat Web Filter. All content categories of the request URL that are defined by an external service. All content categories of the request URL that are defined by a local database. All content categories of the request URL that are defined by CPL. All content categories of the request URL that are defined by the current third party provider. All content categories of the request URL, qualified by the provider of the category. Single content category of the request URL (such as sc filter category). McAfee Content Security Reporter Product Guide 51

52 A Auto-discover log formats Table A-1 Blue Coat header formats (continued) Format in extended log file Custom Content policy language Description cs host %v Host name from the client s request URL. If URL rewrite policies are used, this field s value is derived from the log URL. cs method cs request line Request method used from client to appliance. First line of the client s request. c dns %h Host name of the client (using the client s IP address to avoid reverse DNS). cs uri url log_url Original URL requested The log URL cs uri address cs uri categories cs uri categories bluecoat cs uri categories external cs uri categories local cs uri categories policy cs uri categories provider cs uri categories qualified cs uri category url.address log_url.address IP address from the original URL requested. DNS is used if the URL is expressed as a host name IP address from the log URL. DNS is used if URL uses a host name All content categories of the request URL. All content categories of the request URL that are defined by Blue Coat Web Filter. All content categories of the request URL that are defined by an external service. All content categories of the request URL that are defined by a local database. All content categories of the request URL that are defined by CPL. All content categories of the request URL that are defined by the current third party provider. All content categories of the request URL, qualified by the provider of the category. Single content category of the request URL (such as sc filter category). 52 McAfee Content Security Reporter Product Guide

53 Auto-discover log formats A Table A-1 Blue Coat header formats (continued) Format in extended log file cs uri host cs uri hostname Custom Content policy language url.host log_url.host url.hostname log_url.hostname Description Host name from the original URL requested Host name from the log URL Host name from the original URL requested. RDNS is used if the URL is expressed as an IP address Host name from the log URL. RDNS is used if the URL uses an IP address cs uri path blank %U url.path blank Path of the original URL requested without query Path from the log URL without query cs uri pathquery url.pathquery log_url.pathquery Path and query of the original URL requested Path and query from the log URL cs uri port url.port log_url.port Port from the original URL requested Port from the log URL cs uri query blank %Q url.query blank Query from the original URL requested Query from the log URL cs uri scheme url.scheme log_url.scheme Scheme of the original URL requested Scheme from the log URL cs uri stem Stem of the original URL requested Stem from the log URL The stem includes everything up to the end path, but does not include the query. cs user %u Qualified user name for NTLM; relative user name for other protocols. cs userdn Full user name of a client authenticated to the proxy (fully distinguished). McAfee Content Security Reporter Product Guide 53